Mercurial > hg > nginx

annotate src/event/ngx_event_openssl.c @ 6854:75e7d55214bd

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: support AES256 encryption of tickets. This implies ticket key size of 80 bytes instead of previously used 48, as both HMAC and AES keys are 32 bytes now. When an old 48-byte ticket key is provided, we fall back to using backward-compatible AES128 encryption. OpenSSL switched to using AES256 in 1.1.0, and we are providing equivalent security. While here, order of HMAC and AES keys was reverted to make the implementation compatible with keys used by OpenSSL with SSL_CTX_set_tlsext_ticket_keys(). Prodded by Christian Klinger.
author Maxim Dounin <mdounin@mdounin.ru>
date Fri, 23 Dec 2016 17:28:20 +0300
parents 25d0d6dabe00
children 5cb85b0ee00b
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
441
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 399
diff changeset
1
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 399
diff changeset
2 /*
444
42d11f017717 nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents: 441
diff changeset
3 * Copyright (C) Igor Sysoev
4412
d620f497c50f Copyright updated.
Maxim Konovalov <maxim@nginx.com>
parents: 4400
diff changeset
4 * Copyright (C) Nginx, Inc.
441
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 399
diff changeset
5 */
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 399
diff changeset
6
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
7
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
8 #include <ngx_config.h>
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
9 #include <ngx_core.h>
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
10 #include <ngx_event.h>
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
11
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
12
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
13 #define NGX_SSL_PASSWORD_BUFFER_SIZE 4096
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
14
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
15
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
16 typedef struct {
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
17 ngx_uint_t engine; /* unsigned engine:1; */
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
18 } ngx_openssl_conf_t;
479
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 473
diff changeset
19
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
20
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
21 static int ngx_ssl_password_callback(char *buf, int size, int rwflag,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
22 void *userdata);
5222
23a186e8ca45 Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents: 5081
diff changeset
23 static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
24 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
25 int ret);
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
26 static void ngx_ssl_passwords_cleanup(void *data);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
27 static void ngx_ssl_handshake_handler(ngx_event_t *ev);
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
28 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
29 static void ngx_ssl_write_handler(ngx_event_t *wev);
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
30 static void ngx_ssl_read_handler(ngx_event_t *rev);
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
31 static void ngx_ssl_shutdown_handler(ngx_event_t *ev);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
32 static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr,
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
33 ngx_err_t err, char *text);
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
34 static void ngx_ssl_clear_error(ngx_log_t *log);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
35
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
36 static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl,
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
37 ngx_str_t *sess_ctx);
3992
a1dd9dc754ab A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents: 3962
diff changeset
38 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
39 static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
40 ngx_ssl_session_t *sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
41 static ngx_ssl_session_t *ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
6487
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
42 #if OPENSSL_VERSION_NUMBER >= 0x10100003L
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
43 const
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
44 #endif
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
45 u_char *id, int len, int *copy);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
46 static void ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
47 static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
48 ngx_slab_pool_t *shpool, ngx_uint_t n);
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
49 static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
50 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
51
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
52 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
53 static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
54 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
55 HMAC_CTX *hctx, int enc);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
56 #endif
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
57
6725
9b9ae81cd4f0 SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6699
diff changeset
58 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
5661
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
59 static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
60 #endif
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
61
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
62 static time_t ngx_ssl_parse_time(
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
63 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
64 const
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
65 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
66 ASN1_TIME *asn1time);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
67
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
68 static void *ngx_openssl_create_conf(ngx_cycle_t *cycle);
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
69 static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
70 static void ngx_openssl_exit(ngx_cycle_t *cycle);
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
71
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
72
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
73 static ngx_command_t ngx_openssl_commands[] = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
74
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
75 { ngx_string("ssl_engine"),
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
76 NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1,
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
77 ngx_openssl_engine,
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
78 0,
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
79 0,
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
80 NULL },
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
81
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
82 ngx_null_command
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
83 };
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
84
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
85
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
86 static ngx_core_module_t ngx_openssl_module_ctx = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
87 ngx_string("openssl"),
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
88 ngx_openssl_create_conf,
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
89 NULL
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
90 };
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
91
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
92
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
93 ngx_module_t ngx_openssl_module = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
94 NGX_MODULE_V1,
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
95 &ngx_openssl_module_ctx, /* module context */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
96 ngx_openssl_commands, /* module directives */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
97 NGX_CORE_MODULE, /* module type */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
98 NULL, /* init master */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
99 NULL, /* init module */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
100 NULL, /* init process */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
101 NULL, /* init thread */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
102 NULL, /* exit thread */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
103 NULL, /* exit process */
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
104 ngx_openssl_exit, /* exit master */
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
105 NGX_MODULE_V1_PADDING
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
106 };
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
107
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
108
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
109 int ngx_ssl_connection_index;
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
110 int ngx_ssl_server_conf_index;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
111 int ngx_ssl_session_cache_index;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
112 int ngx_ssl_session_ticket_keys_index;
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
113 int ngx_ssl_certificate_index;
6548
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
114 int ngx_ssl_next_certificate_index;
6812
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
115 int ngx_ssl_certificate_name_index;
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
116 int ngx_ssl_stapling_index;
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
117
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
118
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
119 ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
120 ngx_ssl_init(ngx_log_t *log)
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
121 {
6488
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
122 #if OPENSSL_VERSION_NUMBER >= 0x10100003L
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
123
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
124 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
125
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
126 #else
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
127
968
1b60ecc8cdb7 OPENSSL_config()
Igor Sysoev <igor@sysoev.ru>
parents: 671
diff changeset
128 OPENSSL_config(NULL);
1b60ecc8cdb7 OPENSSL_config()
Igor Sysoev <igor@sysoev.ru>
parents: 671
diff changeset
129
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
130 SSL_library_init();
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
131 SSL_load_error_strings();
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
132
3464
7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents: 3457
diff changeset
133 OpenSSL_add_all_algorithms();
7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents: 3457
diff changeset
134
6488
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
135 #endif
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
136
4868
22a6ef66b6f5 SSL: added version checks for ssl compression workaround.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4867
diff changeset
137 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
4696
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
138 #ifndef SSL_OP_NO_COMPRESSION
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
139 {
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
140 /*
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
141 * Disable gzip compression in OpenSSL prior to 1.0.0 version,
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
142 * this saves about 522K per connection.
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
143 */
4867
90bbf2adb2c9 SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4696
diff changeset
144 int n;
4696
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
145 STACK_OF(SSL_COMP) *ssl_comp_methods;
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
146
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
147 ssl_comp_methods = SSL_COMP_get_compression_methods();
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
148 n = sk_SSL_COMP_num(ssl_comp_methods);
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
149
4867
90bbf2adb2c9 SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4696
diff changeset
150 while (n--) {
90bbf2adb2c9 SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4696
diff changeset
151 (void) sk_SSL_COMP_pop(ssl_comp_methods);
4696
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
152 }
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
153 }
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
154 #endif
4868
22a6ef66b6f5 SSL: added version checks for ssl compression workaround.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4867
diff changeset
155 #endif
4696
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
156
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
157 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
158
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
159 if (ngx_ssl_connection_index == -1) {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
160 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed");
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
161 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
162 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
163
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
164 ngx_ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
165 NULL);
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
166 if (ngx_ssl_server_conf_index == -1) {
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
167 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
168 "SSL_CTX_get_ex_new_index() failed");
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
169 return NGX_ERROR;
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
170 }
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
171
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
172 ngx_ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
173 NULL);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
174 if (ngx_ssl_session_cache_index == -1) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
175 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
176 "SSL_CTX_get_ex_new_index() failed");
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
177 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
178 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
179
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
180 ngx_ssl_session_ticket_keys_index = SSL_CTX_get_ex_new_index(0, NULL, NULL,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
181 NULL, NULL);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
182 if (ngx_ssl_session_ticket_keys_index == -1) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
183 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
184 "SSL_CTX_get_ex_new_index() failed");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
185 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
186 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
187
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
188 ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
189 NULL);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
190 if (ngx_ssl_certificate_index == -1) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
191 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
192 "SSL_CTX_get_ex_new_index() failed");
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
193 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
194 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
195
6548
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
196 ngx_ssl_next_certificate_index = X509_get_ex_new_index(0, NULL, NULL, NULL,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
197 NULL);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
198 if (ngx_ssl_next_certificate_index == -1) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
199 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
200 return NGX_ERROR;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
201 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
202
6812
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
203 ngx_ssl_certificate_name_index = X509_get_ex_new_index(0, NULL, NULL, NULL,
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
204 NULL);
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
205
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
206 if (ngx_ssl_certificate_name_index == -1) {
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
207 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
208 return NGX_ERROR;
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
209 }
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
210
6545
a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6490
diff changeset
211 ngx_ssl_stapling_index = X509_get_ex_new_index(0, NULL, NULL, NULL, NULL);
a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6490
diff changeset
212
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
213 if (ngx_ssl_stapling_index == -1) {
6545
a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6490
diff changeset
214 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
215 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
216 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
217
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
218 return NGX_OK;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
219 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
220
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
221
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
222 ngx_int_t
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
223 ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
224 {
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
225 ssl->ctx = SSL_CTX_new(SSLv23_method());
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
226
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
227 if (ssl->ctx == NULL) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
228 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed");
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
229 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
230 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
231
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
232 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) {
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
233 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
234 "SSL_CTX_set_ex_data() failed");
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
235 return NGX_ERROR;
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
236 }
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
237
6548
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
238 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, NULL) == 0) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
239 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
240 "SSL_CTX_set_ex_data() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
241 return NGX_ERROR;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
242 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
243
5487
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5450
diff changeset
244 ssl->buffer_size = NGX_SSL_BUFSIZE;
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5450
diff changeset
245
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
246 /* client side options */
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
247
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
248 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
249 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
250 #endif
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
251
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
252 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
253 SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
254 #endif
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
255
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
256 /* server side options */
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
257
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
258 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
259 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
260 #endif
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
261
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
262 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
263 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
264 #endif
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
265
5378
a73678f5f96f SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING.
Piotr Sikora <piotr@cloudflare.com>
parents: 5365
diff changeset
266 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
267 /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
268 SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
5378
a73678f5f96f SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING.
Piotr Sikora <piotr@cloudflare.com>
parents: 5365
diff changeset
269 #endif
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
270
5778
45ed2f1f0a6a SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents: 5777
diff changeset
271 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
272 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
5778
45ed2f1f0a6a SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents: 5777
diff changeset
273 #endif
45ed2f1f0a6a SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents: 5777
diff changeset
274
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
275 #ifdef SSL_OP_TLS_D5_BUG
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
276 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
277 #endif
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
278
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
279 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
280 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
281 #endif
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
282
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
283 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
284 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
285 #endif
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
286
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
287 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
288
6034
3e847964ab55 SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5986
diff changeset
289 #ifdef SSL_CTRL_CLEAR_OPTIONS
3e847964ab55 SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5986
diff changeset
290 /* only in 0.9.8m+ */
3e847964ab55 SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5986
diff changeset
291 SSL_CTX_clear_options(ssl->ctx,
3e847964ab55 SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5986
diff changeset
292 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
3e847964ab55 SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5986
diff changeset
293 #endif
3e847964ab55 SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5986
diff changeset
294
4400
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
295 if (!(protocols & NGX_SSL_SSLv2)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
296 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
297 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
298 if (!(protocols & NGX_SSL_SSLv3)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
299 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
300 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
301 if (!(protocols & NGX_SSL_TLSv1)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
302 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
303 }
4400
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
304 #ifdef SSL_OP_NO_TLSv1_1
6034
3e847964ab55 SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5986
diff changeset
305 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
4400
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
306 if (!(protocols & NGX_SSL_TLSv1_1)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
307 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
308 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
309 #endif
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
310 #ifdef SSL_OP_NO_TLSv1_2
6034
3e847964ab55 SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5986
diff changeset
311 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
4400
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
312 if (!(protocols & NGX_SSL_TLSv1_2)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
313 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
314 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
315 #endif
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
316
4185
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents: 4064
diff changeset
317 #ifdef SSL_OP_NO_COMPRESSION
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents: 4064
diff changeset
318 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents: 4064
diff changeset
319 #endif
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents: 4064
diff changeset
320
4186
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents: 4185
diff changeset
321 #ifdef SSL_MODE_RELEASE_BUFFERS
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents: 4185
diff changeset
322 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents: 4185
diff changeset
323 #endif
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents: 4185
diff changeset
324
6036
4e3f87c02cb4 SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6034
diff changeset
325 #ifdef SSL_MODE_NO_AUTO_CHAIN
4e3f87c02cb4 SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6034
diff changeset
326 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN);
4e3f87c02cb4 SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6034
diff changeset
327 #endif
4e3f87c02cb4 SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6034
diff changeset
328
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
329 SSL_CTX_set_read_ahead(ssl->ctx, 1);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
330
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
331 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
332
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
333 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
334 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
335
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
336
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
337 ngx_int_t
6550
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
338 ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
339 ngx_array_t *keys, ngx_array_t *passwords)
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
340 {
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
341 ngx_str_t *cert, *key;
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
342 ngx_uint_t i;
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
343
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
344 cert = certs->elts;
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
345 key = keys->elts;
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
346
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
347 for (i = 0; i < certs->nelts; i++) {
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
348
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
349 if (ngx_ssl_certificate(cf, ssl, &cert[i], &key[i], passwords)
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
350 != NGX_OK)
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
351 {
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
352 return NGX_ERROR;
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
353 }
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
354 }
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
355
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
356 return NGX_OK;
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
357 }
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
358
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
359
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
360 ngx_int_t
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
361 ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
362 ngx_str_t *key, ngx_array_t *passwords)
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
363 {
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
364 BIO *bio;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
365 X509 *x509;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
366 u_long n;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
367 ngx_str_t *pwd;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
368 ngx_uint_t tries;
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
369
5330
314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5317
diff changeset
370 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
371 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
372 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
373
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
374 /*
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
375 * we can't use SSL_CTX_use_certificate_chain_file() as it doesn't
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
376 * allow to access certificate later from SSL_CTX, so we reimplement
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
377 * it here
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
378 */
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
379
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
380 bio = BIO_new_file((char *) cert->data, "r");
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
381 if (bio == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
382 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
383 "BIO_new_file(\"%s\") failed", cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
384 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
385 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
386
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
387 x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
388 if (x509 == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
389 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
390 "PEM_read_bio_X509_AUX(\"%s\") failed", cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
391 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
392 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
393 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
394
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
395 if (SSL_CTX_use_certificate(ssl->ctx, x509) == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
396 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
397 "SSL_CTX_use_certificate(\"%s\") failed", cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
398 X509_free(x509);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
399 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
400 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
401 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
402
6812
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
403 if (X509_set_ex_data(x509, ngx_ssl_certificate_name_index, cert->data)
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
404 == 0)
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
405 {
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
406 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
407 X509_free(x509);
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
408 BIO_free(bio);
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
409 return NGX_ERROR;
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
410 }
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
411
6548
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
412 if (X509_set_ex_data(x509, ngx_ssl_next_certificate_index,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
413 SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index))
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
414 == 0)
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
415 {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
416 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
417 X509_free(x509);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
418 BIO_free(bio);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
419 return NGX_ERROR;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
420 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
421
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
422 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, x509)
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
423 == 0)
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
424 {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
425 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
426 "SSL_CTX_set_ex_data() failed");
5384
cfbf1d1cc233 SSL: fixed possible memory and file descriptor leak on HUP signal.
Piotr Sikora <piotr@cloudflare.com>
parents: 5378
diff changeset
427 X509_free(x509);
cfbf1d1cc233 SSL: fixed possible memory and file descriptor leak on HUP signal.
Piotr Sikora <piotr@cloudflare.com>
parents: 5378
diff changeset
428 BIO_free(bio);
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
429 return NGX_ERROR;
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
430 }
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
431
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
432 /* read rest of the chain */
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
433
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
434 for ( ;; ) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
435
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
436 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
437 if (x509 == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
438 n = ERR_peek_last_error();
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
439
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
440 if (ERR_GET_LIB(n) == ERR_LIB_PEM
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
441 && ERR_GET_REASON(n) == PEM_R_NO_START_LINE)
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
442 {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
443 /* end of file */
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
444 ERR_clear_error();
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
445 break;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
446 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
447
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
448 /* some real error */
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
449
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
450 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
451 "PEM_read_bio_X509(\"%s\") failed", cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
452 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
453 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
454 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
455
6549
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
456 #ifdef SSL_CTRL_CHAIN_CERT
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
457
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
458 /*
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
459 * SSL_CTX_add0_chain_cert() is needed to add chain to
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
460 * a particular certificate when multiple certificates are used;
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
461 * only available in OpenSSL 1.0.2+
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
462 */
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
463
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
464 if (SSL_CTX_add0_chain_cert(ssl->ctx, x509) == 0) {
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
465 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
466 "SSL_CTX_add0_chain_cert(\"%s\") failed",
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
467 cert->data);
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
468 X509_free(x509);
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
469 BIO_free(bio);
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
470 return NGX_ERROR;
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
471 }
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
472
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
473 #else
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
474 if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
475 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
476 "SSL_CTX_add_extra_chain_cert(\"%s\") failed",
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
477 cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
478 X509_free(x509);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
479 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
480 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
481 }
6549
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
482 #endif
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
483 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
484
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
485 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
486
5934
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
487 if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
488
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
489 #ifndef OPENSSL_NO_ENGINE
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
490
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
491 u_char *p, *last;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
492 ENGINE *engine;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
493 EVP_PKEY *pkey;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
494
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
495 p = key->data + sizeof("engine:") - 1;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
496 last = (u_char *) ngx_strchr(p, ':');
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
497
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
498 if (last == NULL) {
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
499 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
500 "invalid syntax in \"%V\"", key);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
501 return NGX_ERROR;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
502 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
503
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
504 *last = '\0';
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
505
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
506 engine = ENGINE_by_id((char *) p);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
507
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
508 if (engine == NULL) {
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
509 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
510 "ENGINE_by_id(\"%s\") failed", p);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
511 return NGX_ERROR;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
512 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
513
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
514 *last++ = ':';
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
515
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
516 pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
517
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
518 if (pkey == NULL) {
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
519 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
520 "ENGINE_load_private_key(\"%s\") failed", last);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
521 ENGINE_free(engine);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
522 return NGX_ERROR;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
523 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
524
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
525 ENGINE_free(engine);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
526
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
527 if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
528 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
529 "SSL_CTX_use_PrivateKey(\"%s\") failed", last);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
530 EVP_PKEY_free(pkey);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
531 return NGX_ERROR;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
532 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
533
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
534 EVP_PKEY_free(pkey);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
535
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
536 return NGX_OK;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
537
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
538 #else
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
539
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
540 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
541 "loading \"engine:...\" certificate keys "
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
542 "is not supported");
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
543 return NGX_ERROR;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
544
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
545 #endif
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
546 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
547
5330
314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5317
diff changeset
548 if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
549 return NGX_ERROR;
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
550 }
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
551
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
552 if (passwords) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
553 tries = passwords->nelts;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
554 pwd = passwords->elts;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
555
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
556 SSL_CTX_set_default_passwd_cb(ssl->ctx, ngx_ssl_password_callback);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
557 SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, pwd);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
558
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
559 } else {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
560 tries = 1;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
561 #if (NGX_SUPPRESS_WARN)
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
562 pwd = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
563 #endif
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
564 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
565
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
566 for ( ;; ) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
567
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
568 if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
569 SSL_FILETYPE_PEM)
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
570 != 0)
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
571 {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
572 break;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
573 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
574
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
575 if (--tries) {
5892
42520df85ebb SSL: simplified ssl_password_file error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 5882
diff changeset
576 ERR_clear_error();
42520df85ebb SSL: simplified ssl_password_file error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 5882
diff changeset
577 SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, ++pwd);
42520df85ebb SSL: simplified ssl_password_file error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 5882
diff changeset
578 continue;
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
579 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
580
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
581 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
582 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
583 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
584 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
585
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
586 SSL_CTX_set_default_passwd_cb(ssl->ctx, NULL);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
587
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
588 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
589 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
590
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
591
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
592 static int
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
593 ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata)
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
594 {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
595 ngx_str_t *pwd = userdata;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
596
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
597 if (rwflag) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
598 ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
599 "ngx_ssl_password_callback() is called for encryption");
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
600 return 0;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
601 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
602
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
603 if (pwd->len > (size_t) size) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
604 ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
605 "password is truncated to %d bytes", size);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
606 } else {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
607 size = pwd->len;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
608 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
609
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
610 ngx_memcpy(buf, pwd->data, size);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
611
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
612 return size;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
613 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
614
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
615
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
616 ngx_int_t
6591
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
617 ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
618 ngx_uint_t prefer_server_ciphers)
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
619 {
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
620 if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) {
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
621 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
622 "SSL_CTX_set_cipher_list(\"%V\") failed",
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
623 ciphers);
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
624 return NGX_ERROR;
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
625 }
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
626
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
627 if (prefer_server_ciphers) {
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
628 SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
629 }
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
630
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
631 #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
632 /* a temporary 512-bit RSA key is required for export versions of MSIE */
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
633 SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback);
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
634 #endif
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
635
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
636 return NGX_OK;
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
637 }
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
638
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
639
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
640 ngx_int_t
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
641 ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
642 ngx_int_t depth)
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
643 {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
644 STACK_OF(X509_NAME) *list;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
645
5222
23a186e8ca45 Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents: 5081
diff changeset
646 SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
647
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
648 SSL_CTX_set_verify_depth(ssl->ctx, depth);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
649
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
650 if (cert->len == 0) {
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
651 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
652 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
653
5330
314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5317
diff changeset
654 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
655 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
656 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
657
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
658 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL)
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
659 == 0)
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
660 {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
661 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
662 "SSL_CTX_load_verify_locations(\"%s\") failed",
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
663 cert->data);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
664 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
665 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
666
5365
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
667 /*
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
668 * SSL_CTX_load_verify_locations() may leave errors in the error queue
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
669 * while returning success
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
670 */
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
671
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
672 ERR_clear_error();
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
673
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
674 list = SSL_load_client_CA_file((char *) cert->data);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
675
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
676 if (list == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
677 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
678 "SSL_load_client_CA_file(\"%s\") failed", cert->data);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
679 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
680 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
681
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
682 /*
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
683 * before 0.9.7h and 0.9.8 SSL_load_client_CA_file()
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
684 * always leaved an error in the error queue
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
685 */
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
686
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
687 ERR_clear_error();
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
688
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
689 SSL_CTX_set_client_CA_list(ssl->ctx, list);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
690
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
691 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
692 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
693
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
694
2995
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
695 ngx_int_t
4872
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
696 ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
697 ngx_int_t depth)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
698 {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
699 SSL_CTX_set_verify_depth(ssl->ctx, depth);
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
700
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
701 if (cert->len == 0) {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
702 return NGX_OK;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
703 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
704
5330
314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5317
diff changeset
705 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
4872
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
706 return NGX_ERROR;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
707 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
708
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
709 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
710 == 0)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
711 {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
712 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
713 "SSL_CTX_load_verify_locations(\"%s\") failed",
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
714 cert->data);
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
715 return NGX_ERROR;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
716 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
717
5365
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
718 /*
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
719 * SSL_CTX_load_verify_locations() may leave errors in the error queue
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
720 * while returning success
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
721 */
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
722
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
723 ERR_clear_error();
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
724
4872
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
725 return NGX_OK;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
726 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
727
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
728
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
729 ngx_int_t
2995
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
730 ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl)
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
731 {
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
732 X509_STORE *store;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
733 X509_LOOKUP *lookup;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
734
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
735 if (crl->len == 0) {
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
736 return NGX_OK;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
737 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
738
5330
314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5317
diff changeset
739 if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) {
2995
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
740 return NGX_ERROR;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
741 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
742
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
743 store = SSL_CTX_get_cert_store(ssl->ctx);
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
744
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
745 if (store == NULL) {
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
746 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
747 "SSL_CTX_get_cert_store() failed");
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
748 return NGX_ERROR;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
749 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
750
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
751 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
752
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
753 if (lookup == NULL) {
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
754 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
755 "X509_STORE_add_lookup() failed");
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
756 return NGX_ERROR;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
757 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
758
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
759 if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM)
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
760 == 0)
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
761 {
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
762 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
763 "X509_LOOKUP_load_file(\"%s\") failed", crl->data);
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
764 return NGX_ERROR;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
765 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
766
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
767 X509_STORE_set_flags(store,
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
768 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
769
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
770 return NGX_OK;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
771 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
772
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
773
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
774 static int
5222
23a186e8ca45 Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents: 5081
diff changeset
775 ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
776 {
1977
40c9cb8576bb get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents: 1976
diff changeset
777 #if (NGX_DEBUG)
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
778 char *subject, *issuer;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
779 int err, depth;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
780 X509 *cert;
1976
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
781 X509_NAME *sname, *iname;
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
782 ngx_connection_t *c;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
783 ngx_ssl_conn_t *ssl_conn;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
784
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
785 ssl_conn = X509_STORE_CTX_get_ex_data(x509_store,
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
786 SSL_get_ex_data_X509_STORE_CTX_idx());
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
787
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
788 c = ngx_ssl_get_connection(ssl_conn);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
789
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
790 cert = X509_STORE_CTX_get_current_cert(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
791 err = X509_STORE_CTX_get_error(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
792 depth = X509_STORE_CTX_get_error_depth(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
793
1976
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
794 sname = X509_get_subject_name(cert);
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
795 subject = sname ? X509_NAME_oneline(sname, NULL, 0) : "(none)";
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
796
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
797 iname = X509_get_issuer_name(cert);
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
798 issuer = iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)";
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
799
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
800 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
801 "verify:%d, error:%d, depth:%d, "
5775
294d020bbcfe SSL: misplaced space in debug message.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5767
diff changeset
802 "subject:\"%s\", issuer:\"%s\"",
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
803 ok, err, depth, subject, issuer);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
804
1976
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
805 if (sname) {
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
806 OPENSSL_free(subject);
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
807 }
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
808
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
809 if (iname) {
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
810 OPENSSL_free(issuer);
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
811 }
1977
40c9cb8576bb get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents: 1976
diff changeset
812 #endif
1976
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
813
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
814 return 1;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
815 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
816
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
817
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
818 static void
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
819 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
820 {
5395
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
821 BIO *rbio, *wbio;
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
822 ngx_connection_t *c;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
823
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
824 if (where & SSL_CB_HANDSHAKE_START) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
825 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
826
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
827 if (c->ssl->handshaked) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
828 c->ssl->renegotiation = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
829 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
830 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
831 }
5395
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
832
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
833 if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
834 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
835
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
836 if (!c->ssl->handshake_buffer_set) {
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
837 /*
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
838 * By default OpenSSL uses 4k buffer during a handshake,
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
839 * which is too low for long certificate chains and might
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
840 * result in extra round-trips.
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
841 *
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
842 * To adjust a buffer size we detect that buffering was added
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
843 * to write side of the connection by comparing rbio and wbio.
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
844 * If they are different, we assume that it's due to buffering
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
845 * added to wbio, and set buffer size.
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
846 */
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
847
5423
5b5a486bd40e SSL: fixed build with OpenSSL 0.9.7.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5395
diff changeset
848 rbio = SSL_get_rbio((ngx_ssl_conn_t *) ssl_conn);
5b5a486bd40e SSL: fixed build with OpenSSL 0.9.7.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5395
diff changeset
849 wbio = SSL_get_wbio((ngx_ssl_conn_t *) ssl_conn);
5395
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
850
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
851 if (rbio != wbio) {
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
852 (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE);
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
853 c->ssl->handshake_buffer_set = 1;
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
854 }
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
855 }
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
856 }
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
857 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
858
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
859
3959
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents: 3851
diff changeset
860 RSA *
5223
71d85de7b53b Style: replace SSL *ssl with ngx_ssl_conn_t *ssl_conn.
Piotr Sikora <piotr@cloudflare.com>
parents: 5222
diff changeset
861 ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
71d85de7b53b Style: replace SSL *ssl with ngx_ssl_conn_t *ssl_conn.
Piotr Sikora <piotr@cloudflare.com>
parents: 5222
diff changeset
862 int key_length)
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
863 {
3959
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents: 3851
diff changeset
864 static RSA *key;
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents: 3851
diff changeset
865
5754
c7ecd097b883 SSL: return temporary RSA key only when the key length matches.
Piotr Sikora <piotr@cloudflare.com>
parents: 5747
diff changeset
866 if (key_length != 512) {
c7ecd097b883 SSL: return temporary RSA key only when the key length matches.
Piotr Sikora <piotr@cloudflare.com>
parents: 5747
diff changeset
867 return NULL;
c7ecd097b883 SSL: return temporary RSA key only when the key length matches.
Piotr Sikora <piotr@cloudflare.com>
parents: 5747
diff changeset
868 }
c7ecd097b883 SSL: return temporary RSA key only when the key length matches.
Piotr Sikora <piotr@cloudflare.com>
parents: 5747
diff changeset
869
6489
c256dfdd469d SSL: RSA_generate_key() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6488
diff changeset
870 #if (OPENSSL_VERSION_NUMBER < 0x10100003L && !defined OPENSSL_NO_DEPRECATED)
5755
8df08465fcfd SSL: fixed build with OPENSSL_NO_DEPRECATED defined.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5754
diff changeset
871
5754
c7ecd097b883 SSL: return temporary RSA key only when the key length matches.
Piotr Sikora <piotr@cloudflare.com>
parents: 5747
diff changeset
872 if (key == NULL) {
c7ecd097b883 SSL: return temporary RSA key only when the key length matches.
Piotr Sikora <piotr@cloudflare.com>
parents: 5747
diff changeset
873 key = RSA_generate_key(512, RSA_F4, NULL, NULL);
559
c1f965ef9718 nginx-0.3.1-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 549
diff changeset
874 }
c1f965ef9718 nginx-0.3.1-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 549
diff changeset
875
5755
8df08465fcfd SSL: fixed build with OPENSSL_NO_DEPRECATED defined.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5754
diff changeset
876 #endif
8df08465fcfd SSL: fixed build with OPENSSL_NO_DEPRECATED defined.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5754
diff changeset
877
3959
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents: 3851
diff changeset
878 return key;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
879 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
880
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
881
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
882 ngx_array_t *
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
883 ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file)
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
884 {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
885 u_char *p, *last, *end;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
886 size_t len;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
887 ssize_t n;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
888 ngx_fd_t fd;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
889 ngx_str_t *pwd;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
890 ngx_array_t *passwords;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
891 ngx_pool_cleanup_t *cln;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
892 u_char buf[NGX_SSL_PASSWORD_BUFFER_SIZE];
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
893
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
894 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
895 return NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
896 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
897
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
898 cln = ngx_pool_cleanup_add(cf->temp_pool, 0);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
899 passwords = ngx_array_create(cf->temp_pool, 4, sizeof(ngx_str_t));
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
900
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
901 if (cln == NULL || passwords == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
902 return NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
903 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
904
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
905 cln->handler = ngx_ssl_passwords_cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
906 cln->data = passwords;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
907
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
908 fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
909 if (fd == NGX_INVALID_FILE) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
910 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
911 ngx_open_file_n " \"%s\" failed", file->data);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
912 return NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
913 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
914
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
915 len = 0;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
916 last = buf;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
917
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
918 do {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
919 n = ngx_read_fd(fd, last, NGX_SSL_PASSWORD_BUFFER_SIZE - len);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
920
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
921 if (n == -1) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
922 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
923 ngx_read_fd_n " \"%s\" failed", file->data);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
924 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
925 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
926 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
927
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
928 end = last + n;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
929
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
930 if (len && n == 0) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
931 *end++ = LF;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
932 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
933
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
934 p = buf;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
935
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
936 for ( ;; ) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
937 last = ngx_strlchr(last, end, LF);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
938
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
939 if (last == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
940 break;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
941 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
942
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
943 len = last++ - p;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
944
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
945 if (len && p[len - 1] == CR) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
946 len--;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
947 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
948
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
949 if (len) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
950 pwd = ngx_array_push(passwords);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
951 if (pwd == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
952 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
953 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
954 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
955
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
956 pwd->len = len;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
957 pwd->data = ngx_pnalloc(cf->temp_pool, len);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
958
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
959 if (pwd->data == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
960 passwords->nelts--;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
961 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
962 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
963 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
964
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
965 ngx_memcpy(pwd->data, p, len);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
966 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
967
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
968 p = last;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
969 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
970
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
971 len = end - p;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
972
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
973 if (len == NGX_SSL_PASSWORD_BUFFER_SIZE) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
974 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
975 "too long line in \"%s\"", file->data);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
976 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
977 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
978 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
979
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
980 ngx_memmove(buf, p, len);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
981 last = buf + len;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
982
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
983 } while (n != 0);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
984
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
985 if (passwords->nelts == 0) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
986 pwd = ngx_array_push(passwords);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
987 if (pwd == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
988 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
989 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
990 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
991
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
992 ngx_memzero(pwd, sizeof(ngx_str_t));
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
993 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
994
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
995 cleanup:
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
996
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
997 if (ngx_close_file(fd) == NGX_FILE_ERROR) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
998 ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
999 ngx_close_file_n " \"%s\" failed", file->data);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1000 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1001
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1002 ngx_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1003
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1004 return passwords;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1005 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1006
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1007
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1008 static void
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1009 ngx_ssl_passwords_cleanup(void *data)
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1010 {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1011 ngx_array_t *passwords = data;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1012
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1013 ngx_str_t *pwd;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1014 ngx_uint_t i;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1015
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1016 pwd = passwords->elts;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1017
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1018 for (i = 0; i < passwords->nelts; i++) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1019 ngx_memzero(pwd[i].data, pwd[i].len);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1020 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1021 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1022
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1023
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1024 ngx_int_t
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1025 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1026 {
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1027 DH *dh;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1028 BIO *bio;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1029
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1030 if (file->len == 0) {
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1031 return NGX_OK;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1032 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1033
5330
314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5317
diff changeset
1034 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1035 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1036 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1037
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1038 bio = BIO_new_file((char *) file->data, "r");
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1039 if (bio == NULL) {
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1040 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1041 "BIO_new_file(\"%s\") failed", file->data);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1042 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1043 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1045 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1046 if (dh == NULL) {
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1047 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1048 "PEM_read_bio_DHparams(\"%s\") failed", file->data);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1049 BIO_free(bio);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1050 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1051 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1052
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1053 SSL_CTX_set_tmp_dh(ssl->ctx, dh);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1054
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1055 DH_free(dh);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1056 BIO_free(bio);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1057
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1058 return NGX_OK;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1059 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1060
4522
14411ee4d89f Whitespace fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4499
diff changeset
1061
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1062 ngx_int_t
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1063 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1064 {
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1065 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1066 #ifndef OPENSSL_NO_ECDH
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1067
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1068 /*
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1069 * Elliptic-Curve Diffie-Hellman parameters are either "named curves"
4572
67653855682e Fixed spelling in multiline C comments.
Ruslan Ermilov <ru@nginx.com>
parents: 4522
diff changeset
1070 * from RFC 4492 section 5.1.1, or explicitly described curves over
6552
addd98357629 SSL: style.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6551
diff changeset
1071 * binary fields. OpenSSL only supports the "named curves", which provide
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1072 * maximum interoperability.
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1073 */
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1074
6553
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1075 #ifdef SSL_CTRL_SET_CURVES_LIST
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1076
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1077 /*
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1078 * OpenSSL 1.0.2+ allows configuring a curve list instead of a single
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1079 * curve previously supported. By default an internal list is used,
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1080 * with prime256v1 being preferred by server in OpenSSL 1.0.2b+
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1081 * and X25519 in OpenSSL 1.1.0+.
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1082 *
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1083 * By default a curve preferred by the client will be used for
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1084 * key exchange. The SSL_OP_CIPHER_SERVER_PREFERENCE option can
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1085 * be used to prefer server curves instead, similar to what it
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1086 * does for ciphers.
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1087 */
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1088
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1089 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1090
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1091 #if SSL_CTRL_SET_ECDH_AUTO
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1092 /* not needed in OpenSSL 1.1.0+ */
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1093 SSL_CTX_set_ecdh_auto(ssl->ctx, 1);
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1094 #endif
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1095
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1096 if (ngx_strcmp(name->data, "auto") == 0) {
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1097 return NGX_OK;
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1098 }
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1099
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1100 if (SSL_CTX_set1_curves_list(ssl->ctx, (char *) name->data) == 0) {
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1101 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1102 "SSL_CTX_set1_curves_list(\"%s\") failed", name->data);
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1103 return NGX_ERROR;
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1104 }
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1105
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1106 #else
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1107
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1108 int nid;
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1109 char *curve;
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1110 EC_KEY *ecdh;
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1111
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1112 if (ngx_strcmp(name->data, "auto") == 0) {
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1113 curve = "prime256v1";
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1114
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1115 } else {
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1116 curve = (char *) name->data;
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1117 }
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1118
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1119 nid = OBJ_sn2nid(curve);
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1120 if (nid == 0) {
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1121 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
6553
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1122 "OBJ_sn2nid(\"%s\") failed: unknown curve", curve);
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1123 return NGX_ERROR;
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1124 }
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1125
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1126 ecdh = EC_KEY_new_by_curve_name(nid);
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1127 if (ecdh == NULL) {
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1128 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
6553
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1129 "EC_KEY_new_by_curve_name(\"%s\") failed", curve);
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1130 return NGX_ERROR;
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1131 }
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1132
5003
82234f3f5ca2 SSL: speedup loading of configs with many ssl servers.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4877
diff changeset
1133 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
82234f3f5ca2 SSL: speedup loading of configs with many ssl servers.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4877
diff changeset
1134
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1135 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh);
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1136
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1137 EC_KEY_free(ecdh);
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1138 #endif
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1139 #endif
6553
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1140 #endif
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1141
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1142 return NGX_OK;
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1143 }
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1144
4522
14411ee4d89f Whitespace fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4499
diff changeset
1145
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1146 ngx_int_t
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1147 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1148 {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1149 ngx_ssl_connection_t *sc;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1150
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1151 sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t));
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1152 if (sc == NULL) {
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1153 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1154 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1155
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1156 sc->buffer = ((flags & NGX_SSL_BUFFER) != 0);
5487
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5450
diff changeset
1157 sc->buffer_size = ssl->buffer_size;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1158
6261
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6259
diff changeset
1159 sc->session_ctx = ssl->ctx;
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6259
diff changeset
1160
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1161 sc->connection = SSL_new(ssl->ctx);
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1162
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1163 if (sc->connection == NULL) {
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1164 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_new() failed");
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1165 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1166 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1167
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1168 if (SSL_set_fd(sc->connection, c->fd) == 0) {
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1169 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_fd() failed");
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1170 return NGX_ERROR;
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1171 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1172
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1173 if (flags & NGX_SSL_CLIENT) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1174 SSL_set_connect_state(sc->connection);
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1175
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1176 } else {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1177 SSL_set_accept_state(sc->connection);
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1178 }
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1179
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
1180 if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1181 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed");
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1182 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1183 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1184
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1185 c->ssl = sc;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1186
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1187 return NGX_OK;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1188 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1189
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1190
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1191 ngx_int_t
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1192 ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1193 {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1194 if (session) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1195 if (SSL_set_session(c->ssl->connection, session) == 0) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1196 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_session() failed");
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1197 return NGX_ERROR;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1198 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1199 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1200
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1201 return NGX_OK;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1202 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1203
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1204
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1205 ngx_int_t
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1206 ngx_ssl_handshake(ngx_connection_t *c)
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1207 {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1208 int n, sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1209 ngx_err_t err;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1210
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1211 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1212
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1213 n = SSL_do_handshake(c->ssl->connection);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1214
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1215 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1216
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1217 if (n == 1) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1218
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1219 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1220 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1221 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1222
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1223 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1224 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1225 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1226
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1227 #if (NGX_DEBUG)
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1228 {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1229 char buf[129], *s, *d;
3851
033015e01eec fix building on Fedora 14
Igor Sysoev <igor@sysoev.ru>
parents: 3815
diff changeset
1230 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
3488
92378c49456d MSVC8 compatibility with OpenSSL 1.0.0
Igor Sysoev <igor@sysoev.ru>
parents: 3464
diff changeset
1231 const
92378c49456d MSVC8 compatibility with OpenSSL 1.0.0
Igor Sysoev <igor@sysoev.ru>
parents: 3464
diff changeset
1232 #endif
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1233 SSL_CIPHER *cipher;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1234
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1235 cipher = SSL_get_current_cipher(c->ssl->connection);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1236
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1237 if (cipher) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1238 SSL_CIPHER_description(cipher, &buf[1], 128);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1239
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1240 for (s = &buf[1], d = buf; *s; s++) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1241 if (*s == ' ' && *d == ' ') {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1242 continue;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1243 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1244
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1245 if (*s == LF || *s == CR) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1246 continue;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1247 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1248
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1249 *++d = *s;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1250 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1251
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1252 if (*d != ' ') {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1253 d++;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1254 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1255
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1256 *d = '\0';
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1257
583
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
1258 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1259 "SSL: %s, cipher: \"%s\"",
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1260 SSL_get_version(c->ssl->connection), &buf[1]);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1261
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1262 if (SSL_session_reused(c->ssl->connection)) {
583
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
1263 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1264 "SSL reused session");
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1265 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1266
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1267 } else {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1268 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1269 "SSL no shared ciphers");
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1270 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1271 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1272 #endif
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1273
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1274 c->ssl->handshaked = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1275
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1276 c->recv = ngx_ssl_recv;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1277 c->send = ngx_ssl_write;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1278 c->recv_chain = ngx_ssl_recv_chain;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1279 c->send_chain = ngx_ssl_send_chain;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1280
6255
b40af2fd1c16 SSL: compatibility with OpenSSL master branch.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6036
diff changeset
1281 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5946
ee941e49bd88 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents: 5934
diff changeset
1282 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
ee941e49bd88 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents: 5934
diff changeset
1283
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1284 /* initial handshake done, disable renegotiation (CVE-2009-3555) */
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1285 if (c->ssl->connection->s3) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1286 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1287 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1288
5946
ee941e49bd88 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents: 5934
diff changeset
1289 #endif
6255
b40af2fd1c16 SSL: compatibility with OpenSSL master branch.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6036
diff changeset
1290 #endif
5946
ee941e49bd88 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents: 5934
diff changeset
1291
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1292 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1293 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1294
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1295 sslerr = SSL_get_error(c->ssl->connection, n);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1296
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1297 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1298
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1299 if (sslerr == SSL_ERROR_WANT_READ) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1300 c->read->ready = 0;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1301 c->read->handler = ngx_ssl_handshake_handler;
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1302 c->write->handler = ngx_ssl_handshake_handler;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1303
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1304 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1305 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1306 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1307
5024
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
1308 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
1309 return NGX_ERROR;
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
1310 }
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
1311
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1312 return NGX_AGAIN;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1313 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1314
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1315 if (sslerr == SSL_ERROR_WANT_WRITE) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1316 c->write->ready = 0;
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1317 c->read->handler = ngx_ssl_handshake_handler;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1318 c->write->handler = ngx_ssl_handshake_handler;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1319
5024
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
1320 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
1321 return NGX_ERROR;
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
1322 }
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
1323
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1324 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1325 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1326 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1327
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1328 return NGX_AGAIN;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1329 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1330
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1331 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1332
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1333 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1334 c->ssl->no_send_shutdown = 1;
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1335 c->read->eof = 1;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1336
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1337 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
5747
57c05ff57980 SSL: logging level of "peer closed connection in SSL handshake".
Maxim Dounin <mdounin@mdounin.ru>
parents: 5744
diff changeset
1338 ngx_connection_error(c, err,
57c05ff57980 SSL: logging level of "peer closed connection in SSL handshake".
Maxim Dounin <mdounin@mdounin.ru>
parents: 5744
diff changeset
1339 "peer closed connection in SSL handshake");
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1340
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1341 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1342 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1343
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1344 c->read->error = 1;
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1345
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1346 ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1347
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1348 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1349 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1350
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1351
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1352 static void
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1353 ngx_ssl_handshake_handler(ngx_event_t *ev)
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1354 {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1355 ngx_connection_t *c;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1356
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1357 c = ev->data;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1358
549
e16a8d574da5 nginx-0.2.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 547
diff changeset
1359 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1360 "SSL handshake handler: %d", ev->write);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1361
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1362 if (ev->timedout) {
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1363 c->ssl->handler(c);
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1364 return;
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1365 }
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1366
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1367 if (ngx_ssl_handshake(c) == NGX_AGAIN) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1368 return;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1369 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1370
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1371 c->ssl->handler(c);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1372 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1373
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1374
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1375 ssize_t
5882
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
1376 ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit)
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1377 {
1154
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
1378 u_char *last;
5882
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
1379 ssize_t n, bytes, size;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1380 ngx_buf_t *b;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1381
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1382 bytes = 0;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1383
1154
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
1384 b = cl->buf;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
1385 last = b->last;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
1386
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
1387 for ( ;; ) {
5882
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
1388 size = b->end - last;
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
1389
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
1390 if (limit) {
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
1391 if (bytes >= limit) {
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
1392 return bytes;
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
1393 }
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
1394
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
1395 if (bytes + size > limit) {
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
1396 size = (ssize_t) (limit - bytes);
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
1397 }
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
1398 }
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
1399
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
1400 n = ngx_ssl_recv(c, last, size);
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1401
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1402 if (n > 0) {
1154
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
1403 last += n;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1404 bytes += n;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1405
1154
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
1406 if (last == b->end) {
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1407 cl = cl->next;
1154
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
1408
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
1409 if (cl == NULL) {
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
1410 return bytes;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
1411 }
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
1412
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
1413 b = cl->buf;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
1414 last = b->last;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1415 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1416
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1417 continue;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1418 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1419
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1420 if (bytes) {
2052
b4085596a7e6 fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents: 2049
diff changeset
1421
b4085596a7e6 fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents: 2049
diff changeset
1422 if (n == 0 || n == NGX_ERROR) {
b4085596a7e6 fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents: 2049
diff changeset
1423 c->read->ready = 1;
b4085596a7e6 fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents: 2049
diff changeset
1424 }
b4085596a7e6 fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents: 2049
diff changeset
1425
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1426 return bytes;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1427 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1428
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1429 return n;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1430 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1431 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1432
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1433
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1434 ssize_t
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1435 ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size)
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1436 {
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1437 int n, bytes;
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1438
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1439 if (c->ssl->last == NGX_ERROR) {
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1440 c->read->error = 1;
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1441 return NGX_ERROR;
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1442 }
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1443
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1444 if (c->ssl->last == NGX_DONE) {
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1445 c->read->ready = 0;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1446 c->read->eof = 1;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1447 return 0;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1448 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1449
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1450 bytes = 0;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1451
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1452 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1453
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1454 /*
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1455 * SSL_read() may return data in parts, so try to read
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1456 * until SSL_read() would return no data
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1457 */
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1458
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1459 for ( ;; ) {
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1460
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1461 n = SSL_read(c->ssl->connection, buf, size);
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1462
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1463 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n);
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1464
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1465 if (n > 0) {
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1466 bytes += n;
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1467 }
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1468
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1469 c->ssl->last = ngx_ssl_handle_recv(c, n);
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1470
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1471 if (c->ssl->last == NGX_OK) {
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1472
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1473 size -= n;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1474
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1475 if (size == 0) {
5450
9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
1476 c->read->ready = 1;
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1477 return bytes;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1478 }
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1479
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1480 buf += n;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1481
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1482 continue;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1483 }
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1484
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1485 if (bytes) {
5450
9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
1486 if (c->ssl->last != NGX_AGAIN) {
9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
1487 c->read->ready = 1;
9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
1488 }
9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
1489
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1490 return bytes;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1491 }
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1492
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1493 switch (c->ssl->last) {
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1494
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1495 case NGX_DONE:
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1496 c->read->ready = 0;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1497 c->read->eof = 1;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1498 return 0;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1499
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1500 case NGX_ERROR:
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1501 c->read->error = 1;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1502
4499
778ef9c3fd2d Fixed spelling in single-line comments.
Ruslan Ermilov <ru@nginx.com>
parents: 4497
diff changeset
1503 /* fall through */
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1504
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
1505 case NGX_AGAIN:
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1506 return c->ssl->last;
479
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 473
diff changeset
1507 }
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1508 }
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1509 }
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1510
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1511
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1512 static ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1513 ngx_ssl_handle_recv(ngx_connection_t *c, int n)
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1514 {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1515 int sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1516 ngx_err_t err;
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1517
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1518 if (c->ssl->renegotiation) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1519 /*
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1520 * disable renegotiation (CVE-2009-3555):
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1521 * OpenSSL (at least up to 0.9.8l) does not handle disabled
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1522 * renegotiation gracefully, so drop connection here
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1523 */
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1524
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1525 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled");
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1526
4236
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
1527 while (ERR_peek_error()) {
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
1528 ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0,
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
1529 "ignoring stale global SSL error");
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
1530 }
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
1531
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
1532 ERR_clear_error();
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
1533
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1534 c->ssl->no_wait_shutdown = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1535 c->ssl->no_send_shutdown = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1536
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1537 return NGX_ERROR;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1538 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1539
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1540 if (n > 0) {
479
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 473
diff changeset
1541
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1542 if (c->ssl->saved_write_handler) {
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1543
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1544 c->write->handler = c->ssl->saved_write_handler;
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1545 c->ssl->saved_write_handler = NULL;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1546 c->write->ready = 1;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1547
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1548 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1549 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1550 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1551
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
1552 ngx_post_event(c->write, &ngx_posted_events);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1553 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1554
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1555 return NGX_OK;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1556 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1557
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1558 sslerr = SSL_get_error(c->ssl->connection, n);
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1559
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1560 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1561
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1562 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1563
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1564 if (sslerr == SSL_ERROR_WANT_READ) {
455
295d97d70c69 nginx-0.1.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 452
diff changeset
1565 c->read->ready = 0;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1566 return NGX_AGAIN;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1567 }
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1568
445
f26432a1935a nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
1569 if (sslerr == SSL_ERROR_WANT_WRITE) {
539
371c1cee100d nginx-0.1.44-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 513
diff changeset
1570
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1571 ngx_log_error(NGX_LOG_INFO, c->log, 0,
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1572 "peer started SSL renegotiation");
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1573
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1574 c->write->ready = 0;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1575
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1576 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1577 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1578 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1579
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1580 /*
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1581 * we do not set the timer because there is already the read event timer
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1582 */
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1583
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1584 if (c->ssl->saved_write_handler == NULL) {
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1585 c->ssl->saved_write_handler = c->write->handler;
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1586 c->write->handler = ngx_ssl_write_handler;
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1587 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1588
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1589 return NGX_AGAIN;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1590 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1591
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1592 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1593 c->ssl->no_send_shutdown = 1;
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1594
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1595 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1596 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1597 "peer shutdown SSL cleanly");
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1598 return NGX_DONE;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1599 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1600
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1601 ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed");
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1602
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1603 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1604 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1605
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1606
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1607 static void
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1608 ngx_ssl_write_handler(ngx_event_t *wev)
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1609 {
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1610 ngx_connection_t *c;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1611
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1612 c = wev->data;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1613
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1614 c->read->handler(c->read);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1615 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1616
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1617
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1618 /*
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1619 * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1620 * before the SSL_write() call to decrease a SSL overhead.
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1621 *
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1622 * Besides for protocols such as HTTP it is possible to always buffer
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1623 * the output to decrease a SSL overhead some more.
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1624 */
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1625
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1626 ngx_chain_t *
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1627 ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1628 {
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1629 int n;
399
4e21d1291a14 nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents: 398
diff changeset
1630 ngx_uint_t flush;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1631 ssize_t send, size;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1632 ngx_buf_t *buf;
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1633
2280
6453161bf53e always use buffer, if connection is buffered,
Igor Sysoev <igor@sysoev.ru>
parents: 2165
diff changeset
1634 if (!c->ssl->buffer) {
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1635
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1636 while (in) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1637 if (ngx_buf_special(in->buf)) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1638 in = in->next;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1639 continue;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1640 }
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1641
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1642 n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos);
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1643
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1644 if (n == NGX_ERROR) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1645 return NGX_CHAIN_ERROR;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1646 }
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1647
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1648 if (n == NGX_AGAIN) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1649 return in;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1650 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1651
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1652 in->buf->pos += n;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1653
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1654 if (in->buf->pos == in->buf->last) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1655 in = in->next;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1656 }
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1657 }
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1658
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1659 return in;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1660 }
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1661
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1662
3962
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents: 3961
diff changeset
1663 /* the maximum limit size is the maximum int32_t value - the page size */
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents: 3961
diff changeset
1664
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents: 3961
diff changeset
1665 if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) {
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents: 3961
diff changeset
1666 limit = NGX_MAX_INT32_VALUE - ngx_pagesize;
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1667 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1668
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1669 buf = c->ssl->buf;
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1670
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1671 if (buf == NULL) {
5487
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5450
diff changeset
1672 buf = ngx_create_temp_buf(c->pool, c->ssl->buffer_size);
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1673 if (buf == NULL) {
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1674 return NGX_CHAIN_ERROR;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1675 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1676
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1677 c->ssl->buf = buf;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1678 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1679
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1680 if (buf->start == NULL) {
5487
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5450
diff changeset
1681 buf->start = ngx_palloc(c->pool, c->ssl->buffer_size);
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1682 if (buf->start == NULL) {
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1683 return NGX_CHAIN_ERROR;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1684 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1685
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1686 buf->pos = buf->start;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1687 buf->last = buf->start;
5487
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5450
diff changeset
1688 buf->end = buf->start + c->ssl->buffer_size;
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1689 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1690
5023
70a35b7b63ea SSL: take into account data in the buffer while limiting output.
Valentin Bartenev <vbart@nginx.com>
parents: 5022
diff changeset
1691 send = buf->last - buf->pos;
5020
587dbe2edc5f SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents: 5019
diff changeset
1692 flush = (in == NULL) ? 1 : buf->flush;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1693
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1694 for ( ;; ) {
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1695
3283
52b1624b93c2 fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents: 3159
diff changeset
1696 while (in && buf->last < buf->end && send < limit) {
583
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
1697 if (in->buf->last_buf || in->buf->flush) {
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1698 flush = 1;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1699 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1700
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1701 if (ngx_buf_special(in->buf)) {
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1702 in = in->next;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1703 continue;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1704 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1705
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1706 size = in->buf->last - in->buf->pos;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1707
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1708 if (size > buf->end - buf->last) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1709 size = buf->end - buf->last;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1710 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1711
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1712 if (send + size > limit) {
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1713 size = (ssize_t) (limit - send);
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1714 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1715
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1716 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
6480
f01ab2dbcfdc Fixed logging.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6474
diff changeset
1717 "SSL buf copy: %z", size);
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1718
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1719 ngx_memcpy(buf->last, in->buf->pos, size);
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1720
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1721 buf->last += size;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1722 in->buf->pos += size;
3283
52b1624b93c2 fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents: 3159
diff changeset
1723 send += size;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1724
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1725 if (in->buf->pos == in->buf->last) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1726 in = in->next;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1727 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1728 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1729
5020
587dbe2edc5f SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents: 5019
diff changeset
1730 if (!flush && send < limit && buf->last < buf->end) {
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1731 break;
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1732 }
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1733
5021
674f8739e443 SSL: calculation of buffer size moved closer to its usage.
Valentin Bartenev <vbart@nginx.com>
parents: 5020
diff changeset
1734 size = buf->last - buf->pos;
674f8739e443 SSL: calculation of buffer size moved closer to its usage.
Valentin Bartenev <vbart@nginx.com>
parents: 5020
diff changeset
1735
5022
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
1736 if (size == 0) {
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
1737 buf->flush = 0;
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
1738 c->buffered &= ~NGX_SSL_BUFFERED;
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
1739 return in;
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
1740 }
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
1741
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1742 n = ngx_ssl_write(c, buf->pos, size);
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1743
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1744 if (n == NGX_ERROR) {
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1745 return NGX_CHAIN_ERROR;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1746 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1747
511
c12967aadd87 nginx-0.1.30-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 509
diff changeset
1748 if (n == NGX_AGAIN) {
5020
587dbe2edc5f SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents: 5019
diff changeset
1749 break;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1750 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1751
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1752 buf->pos += n;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1753
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1754 if (n < size) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1755 break;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1756 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1757
5019
69693a098655 SSL: resetting of flush flag after the data was written.
Valentin Bartenev <vbart@nginx.com>
parents: 5018
diff changeset
1758 flush = 0;
69693a098655 SSL: resetting of flush flag after the data was written.
Valentin Bartenev <vbart@nginx.com>
parents: 5018
diff changeset
1759
5018
0ea36741bb35 SSL: removed conditions that always hold true.
Valentin Bartenev <vbart@nginx.com>
parents: 5003
diff changeset
1760 buf->pos = buf->start;
0ea36741bb35 SSL: removed conditions that always hold true.
Valentin Bartenev <vbart@nginx.com>
parents: 5003
diff changeset
1761 buf->last = buf->start;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1762
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1763 if (in == NULL || send == limit) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1764 break;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1765 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1766 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1767
5020
587dbe2edc5f SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents: 5019
diff changeset
1768 buf->flush = flush;
587dbe2edc5f SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents: 5019
diff changeset
1769
597
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
1770 if (buf->pos < buf->last) {
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
1771 c->buffered |= NGX_SSL_BUFFERED;
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
1772
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
1773 } else {
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
1774 c->buffered &= ~NGX_SSL_BUFFERED;
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
1775 }
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1776
399
4e21d1291a14 nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents: 398
diff changeset
1777 return in;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1778 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1779
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1780
539
371c1cee100d nginx-0.1.44-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 513
diff changeset
1781 ssize_t
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1782 ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size)
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1783 {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1784 int n, sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1785 ngx_err_t err;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1786
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1787 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1788
6480
f01ab2dbcfdc Fixed logging.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6474
diff changeset
1789 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size);
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1790
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1791 n = SSL_write(c->ssl->connection, data, size);
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1792
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1793 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n);
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1794
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1795 if (n > 0) {
539
371c1cee100d nginx-0.1.44-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 513
diff changeset
1796
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1797 if (c->ssl->saved_read_handler) {
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1798
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1799 c->read->handler = c->ssl->saved_read_handler;
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1800 c->ssl->saved_read_handler = NULL;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1801 c->read->ready = 1;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1802
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1803 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1804 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1805 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1806
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
1807 ngx_post_event(c->read, &ngx_posted_events);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1808 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1809
5986
c2f309fb7ad2 SSL: account sent bytes in ngx_ssl_write().
Ruslan Ermilov <ru@nginx.com>
parents: 5946
diff changeset
1810 c->sent += n;
c2f309fb7ad2 SSL: account sent bytes in ngx_ssl_write().
Ruslan Ermilov <ru@nginx.com>
parents: 5946
diff changeset
1811
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1812 return n;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1813 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1814
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1815 sslerr = SSL_get_error(c->ssl->connection, n);
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1816
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1817 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1818
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1819 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1820
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1821 if (sslerr == SSL_ERROR_WANT_WRITE) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1822 c->write->ready = 0;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1823 return NGX_AGAIN;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1824 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1825
445
f26432a1935a nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
1826 if (sslerr == SSL_ERROR_WANT_READ) {
452
23fb87bddda1 nginx-0.1.1-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 445
diff changeset
1827
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1828 ngx_log_error(NGX_LOG_INFO, c->log, 0,
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1829 "peer started SSL renegotiation");
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1830
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1831 c->read->ready = 0;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1832
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1833 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1834 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1835 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1836
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1837 /*
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1838 * we do not set the timer because there is already
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1839 * the write event timer
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1840 */
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1841
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1842 if (c->ssl->saved_read_handler == NULL) {
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1843 c->ssl->saved_read_handler = c->read->handler;
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1844 c->read->handler = ngx_ssl_read_handler;
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1845 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1846
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1847 return NGX_AGAIN;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1848 }
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1849
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1850 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1851 c->ssl->no_send_shutdown = 1;
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1852 c->write->error = 1;
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1853
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1854 ngx_ssl_connection_error(c, sslerr, err, "SSL_write() failed");
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1855
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1856 return NGX_ERROR;
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1857 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1858
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1859
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1860 static void
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1861 ngx_ssl_read_handler(ngx_event_t *rev)
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1862 {
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1863 ngx_connection_t *c;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1864
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1865 c = rev->data;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1866
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1867 c->write->handler(c->write);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1868 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1869
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1870
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1871 void
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1872 ngx_ssl_free_buffer(ngx_connection_t *c)
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1873 {
1795
3a0132e2be2c fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents: 1779
diff changeset
1874 if (c->ssl->buf && c->ssl->buf->start) {
3a0132e2be2c fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents: 1779
diff changeset
1875 if (ngx_pfree(c->pool, c->ssl->buf->start) == NGX_OK) {
3a0132e2be2c fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents: 1779
diff changeset
1876 c->ssl->buf->start = NULL;
3a0132e2be2c fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents: 1779
diff changeset
1877 }
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1878 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1879 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1880
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1881
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1882 ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1883 ngx_ssl_shutdown(ngx_connection_t *c)
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1884 {
1754
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1885 int n, sslerr, mode;
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1886 ngx_err_t err;
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1887
6407
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
1888 if (SSL_in_init(c->ssl->connection)) {
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
1889 /*
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
1890 * OpenSSL 1.0.2f complains if SSL_shutdown() is called during
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
1891 * an SSL handshake, while previous versions always return 0.
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
1892 * Avoid calling SSL_shutdown() if handshake wasn't completed.
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
1893 */
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
1894
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
1895 SSL_free(c->ssl->connection);
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
1896 c->ssl = NULL;
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
1897
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
1898 return NGX_OK;
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
1899 }
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
1900
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1901 if (c->timedout) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1902 mode = SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN;
4064
5b776ad53c3c Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
1903 SSL_set_quiet_shutdown(c->ssl->connection, 1);
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1904
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1905 } else {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1906 mode = SSL_get_shutdown(c->ssl->connection);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1907
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1908 if (c->ssl->no_wait_shutdown) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1909 mode |= SSL_RECEIVED_SHUTDOWN;
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1910 }
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1911
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1912 if (c->ssl->no_send_shutdown) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1913 mode |= SSL_SENT_SHUTDOWN;
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1914 }
4064
5b776ad53c3c Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
1915
5b776ad53c3c Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
1916 if (c->ssl->no_wait_shutdown && c->ssl->no_send_shutdown) {
5b776ad53c3c Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
1917 SSL_set_quiet_shutdown(c->ssl->connection, 1);
5b776ad53c3c Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
1918 }
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1919 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1920
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1921 SSL_set_shutdown(c->ssl->connection, mode);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1922
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1923 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1924
1754
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1925 n = SSL_shutdown(c->ssl->connection);
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1926
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1927 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n);
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1928
461
a88a3e4e158f nginx-0.1.5-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 455
diff changeset
1929 sslerr = 0;
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1930
6406
d194cad6dd3a SSL: fixed SSL_shutdown() comment.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6261
diff changeset
1931 /* before 0.9.8m SSL_shutdown() returned 0 instead of -1 on errors */
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1932
1865
4bcbb0fe5c8d fix bogus crit log message "SSL_shutdown() failed" introduced in r1755
Igor Sysoev <igor@sysoev.ru>
parents: 1861
diff changeset
1933 if (n != 1 && ERR_peek_error()) {
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1934 sslerr = SSL_get_error(c->ssl->connection, n);
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1935
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1936 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1937 "SSL_get_error: %d", sslerr);
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1938 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1939
1865
4bcbb0fe5c8d fix bogus crit log message "SSL_shutdown() failed" introduced in r1755
Igor Sysoev <igor@sysoev.ru>
parents: 1861
diff changeset
1940 if (n == 1 || sslerr == 0 || sslerr == SSL_ERROR_ZERO_RETURN) {
1754
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1941 SSL_free(c->ssl->connection);
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1942 c->ssl = NULL;
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1943
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1944 return NGX_OK;
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1945 }
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1946
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1947 if (sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE) {
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1948 c->read->handler = ngx_ssl_shutdown_handler;
589
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
1949 c->write->handler = ngx_ssl_shutdown_handler;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1950
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1951 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1952 return NGX_ERROR;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1953 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1954
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1955 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1956 return NGX_ERROR;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1957 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1958
1754
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1959 if (sslerr == SSL_ERROR_WANT_READ) {
589
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
1960 ngx_add_timer(c->read, 30000);
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
1961 }
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
1962
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1963 return NGX_AGAIN;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1964 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1965
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1966 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1967
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1968 ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed");
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1969
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1970 SSL_free(c->ssl->connection);
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1971 c->ssl = NULL;
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1972
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1973 return NGX_ERROR;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1974 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1975
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1976
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1977 static void
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1978 ngx_ssl_shutdown_handler(ngx_event_t *ev)
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1979 {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1980 ngx_connection_t *c;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1981 ngx_connection_handler_pt handler;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1982
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1983 c = ev->data;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1984 handler = c->ssl->handler;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1985
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1986 if (ev->timedout) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1987 c->timedout = 1;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1988 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1989
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1990 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler");
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1991
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1992 if (ngx_ssl_shutdown(c) == NGX_AGAIN) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1993 return;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1994 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1995
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1996 handler(c);
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1997 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1998
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1999
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2000 static void
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2001 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2002 char *text)
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2003 {
1876
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2004 int n;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2005 ngx_uint_t level;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2006
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2007 level = NGX_LOG_CRIT;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2008
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2009 if (sslerr == SSL_ERROR_SYSCALL) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2010
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2011 if (err == NGX_ECONNRESET
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2012 || err == NGX_EPIPE
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2013 || err == NGX_ENOTCONN
589
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
2014 || err == NGX_ETIMEDOUT
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2015 || err == NGX_ECONNREFUSED
1869
192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents: 1868
diff changeset
2016 || err == NGX_ENETDOWN
192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents: 1868
diff changeset
2017 || err == NGX_ENETUNREACH
192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents: 1868
diff changeset
2018 || err == NGX_EHOSTDOWN
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2019 || err == NGX_EHOSTUNREACH)
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2020 {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2021 switch (c->log_error) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2022
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2023 case NGX_ERROR_IGNORE_ECONNRESET:
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2024 case NGX_ERROR_INFO:
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2025 level = NGX_LOG_INFO;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2026 break;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2027
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2028 case NGX_ERROR_ERR:
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2029 level = NGX_LOG_ERR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2030 break;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2031
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2032 default:
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2033 break;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2034 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2035 }
1876
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2036
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2037 } else if (sslerr == SSL_ERROR_SSL) {
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2038
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2039 n = ERR_GET_REASON(ERR_peek_error());
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2040
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2041 /* handshake failures */
4228
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2042 if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2043 || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */
3718
bfd84b583868 decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3516
diff changeset
2044 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */
4228
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2045 || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2046 || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */
3455
028f0892e0cd decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3357
diff changeset
2047 || n == SSL_R_LENGTH_MISMATCH /* 159 */
6652
1891b2892b68 SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6591
diff changeset
2048 #ifdef SSL_R_NO_CIPHERS_PASSED
2315
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2049 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */
6652
1891b2892b68 SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6591
diff changeset
2050 #endif
3455
028f0892e0cd decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3357
diff changeset
2051 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */
4228
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2052 || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */
2315
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2053 || n == SSL_R_NO_SHARED_CIPHER /* 193 */
3455
028f0892e0cd decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3357
diff changeset
2054 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
4228
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2055 #ifdef SSL_R_PARSE_TLSEXT
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2056 || n == SSL_R_PARSE_TLSEXT /* 227 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2057 #endif
2315
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2058 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2059 || n == SSL_R_UNEXPECTED_RECORD /* 245 */
3455
028f0892e0cd decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3357
diff changeset
2060 || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */
3357
fc735aa50b8b decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3300
diff changeset
2061 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */
2315
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2062 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2063 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */
4228
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2064 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2065 || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG /* 335 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2066 || n == SSL_R_RENEGOTIATION_ENCODING_ERR /* 336 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2067 || n == SSL_R_RENEGOTIATION_MISMATCH /* 337 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2068 #endif
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2069 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2070 || n == SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED /* 338 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2071 #endif
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2072 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2073 || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
2074 #endif
5902
b7a37f6a25ea SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5892
diff changeset
2075 #ifdef SSL_R_INAPPROPRIATE_FALLBACK
b7a37f6a25ea SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5892
diff changeset
2076 || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */
b7a37f6a25ea SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5892
diff changeset
2077 #endif
1877
a55876dff8f5 low SSL handshake close notify alert error level
Igor Sysoev <igor@sysoev.ru>
parents: 1876
diff changeset
2078 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
6486
978ad80b3732 SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
2079 #ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE
2315
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2080 || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2081 || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2082 || n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2083 || n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2084 || n == SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE /* 1030 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2085 || n == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE /* 1040 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2086 || n == SSL_R_SSLV3_ALERT_NO_CERTIFICATE /* 1041 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2087 || n == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE /* 1042 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2088 || n == SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE /* 1043 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2089 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED /* 1044 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2090 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED /* 1045 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2091 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN /* 1046 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2092 || n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER /* 1047 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2093 || n == SSL_R_TLSV1_ALERT_UNKNOWN_CA /* 1048 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2094 || n == SSL_R_TLSV1_ALERT_ACCESS_DENIED /* 1049 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2095 || n == SSL_R_TLSV1_ALERT_DECODE_ERROR /* 1050 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2096 || n == SSL_R_TLSV1_ALERT_DECRYPT_ERROR /* 1051 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2097 || n == SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION /* 1060 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2098 || n == SSL_R_TLSV1_ALERT_PROTOCOL_VERSION /* 1070 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2099 || n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2100 || n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
2101 || n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */
6486
978ad80b3732 SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
2102 || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION /* 1100 */
978ad80b3732 SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
2103 #endif
978ad80b3732 SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
2104 )
1876
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2105 {
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2106 switch (c->log_error) {
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2107
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2108 case NGX_ERROR_IGNORE_ECONNRESET:
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2109 case NGX_ERROR_INFO:
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2110 level = NGX_LOG_INFO;
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2111 break;
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2112
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2113 case NGX_ERROR_ERR:
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2114 level = NGX_LOG_ERR;
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2115 break;
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2116
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2117 default:
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2118 break;
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2119 }
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
2120 }
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2121 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2122
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2123 ngx_ssl_error(level, c->log, err, text);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2124 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2125
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2126
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
2127 static void
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
2128 ngx_ssl_clear_error(ngx_log_t *log)
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
2129 {
1868
c2cd0720f292 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1865
diff changeset
2130 while (ERR_peek_error()) {
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
2131 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error");
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
2132 }
1868
c2cd0720f292 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1865
diff changeset
2133
c2cd0720f292 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1865
diff changeset
2134 ERR_clear_error();
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
2135 }
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
2136
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
2137
583
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
2138 void ngx_cdecl
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2139 ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...)
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2140 {
4877
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2141 int flags;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2142 u_long n;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2143 va_list args;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2144 u_char *p, *last;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2145 u_char errstr[NGX_MAX_CONF_ERRSTR];
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2146 const char *data;
461
a88a3e4e158f nginx-0.1.5-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 455
diff changeset
2147
a88a3e4e158f nginx-0.1.5-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 455
diff changeset
2148 last = errstr + NGX_MAX_CONF_ERRSTR;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2149
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2150 va_start(args, fmt);
2764
d4a717592877 use ngx_vslprintf(), ngx_slprintf()
Igor Sysoev <igor@sysoev.ru>
parents: 2720
diff changeset
2151 p = ngx_vslprintf(errstr, last - 1, fmt, args);
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2152 va_end(args);
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2153
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2154 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2155
1861
f00b30557c81 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1860
diff changeset
2156 for ( ;; ) {
583
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
2157
4877
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2158 n = ERR_peek_error_line_data(NULL, NULL, &data, &flags);
583
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
2159
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
2160 if (n == 0) {
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
2161 break;
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
2162 }
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2163
6775
8081e1f3ab8b SSL: overcame possible buffer over-read in ngx_ssl_error().
Valentin Bartenev <vbart@nginx.com>
parents: 6725
diff changeset
2164 /* ERR_error_string_n() requires at least one byte */
8081e1f3ab8b SSL: overcame possible buffer over-read in ngx_ssl_error().
Valentin Bartenev <vbart@nginx.com>
parents: 6725
diff changeset
2165
8081e1f3ab8b SSL: overcame possible buffer over-read in ngx_ssl_error().
Valentin Bartenev <vbart@nginx.com>
parents: 6725
diff changeset
2166 if (p >= last - 1) {
4877
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2167 goto next;
1861
f00b30557c81 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1860
diff changeset
2168 }
f00b30557c81 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1860
diff changeset
2169
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2170 *p++ = ' ';
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2171
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2172 ERR_error_string_n(n, (char *) p, last - p);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2173
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2174 while (p < last && *p) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2175 p++;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2176 }
4877
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2177
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2178 if (p < last && *data && (flags & ERR_TXT_STRING)) {
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2179 *p++ = ':';
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2180 p = ngx_cpystrn(p, (u_char *) data, last - p);
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2181 }
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2182
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2183 next:
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2184
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
2185 (void) ERR_get_error();
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2186 }
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2187
6259
2f34ea503ac4 SSL: handled long string truncation in ngx_ssl_error().
Vladimir Homutov <vl@nginx.com>
parents: 6255
diff changeset
2188 ngx_log_error(level, log, err, "%*s)", p - errstr, errstr);
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2189 }
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
2190
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
2191
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2192 ngx_int_t
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2193 ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2194 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2195 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2196 long cache_mode;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2197
5424
767aa37f12de SSL: SSL_CTX_set_timeout() now always called.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5423
diff changeset
2198 SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
767aa37f12de SSL: SSL_CTX_set_timeout() now always called.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5423
diff changeset
2199
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2200 if (ngx_ssl_session_id_context(ssl, sess_ctx) != NGX_OK) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2201 return NGX_ERROR;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2202 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2203
1778
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1760
diff changeset
2204 if (builtin_session_cache == NGX_SSL_NO_SCACHE) {
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1760
diff changeset
2205 SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF);
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1760
diff changeset
2206 return NGX_OK;
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1760
diff changeset
2207 }
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1760
diff changeset
2208
2032
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2209 if (builtin_session_cache == NGX_SSL_NONE_SCACHE) {
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2210
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2211 /*
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2212 * If the server explicitly says that it does not support
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2213 * session reuse (see SSL_SESS_CACHE_OFF above), then
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2214 * Outlook Express fails to upload a sent email to
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2215 * the Sent Items folder on the IMAP server via a separate IMAP
6552
addd98357629 SSL: style.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6551
diff changeset
2216 * connection in the background. Therefore we have a special
2032
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2217 * mode (SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE)
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2218 * where the server pretends that it supports session reuse,
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2219 * but it does not actually store any session.
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2220 */
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2221
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2222 SSL_CTX_set_session_cache_mode(ssl->ctx,
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2223 SSL_SESS_CACHE_SERVER
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2224 |SSL_SESS_CACHE_NO_AUTO_CLEAR
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2225 |SSL_SESS_CACHE_NO_INTERNAL_STORE);
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2226
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2227 SSL_CTX_sess_set_cache_size(ssl->ctx, 1);
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2228
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2229 return NGX_OK;
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2230 }
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
2231
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2232 cache_mode = SSL_SESS_CACHE_SERVER;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2233
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2234 if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2235 cache_mode |= SSL_SESS_CACHE_NO_INTERNAL;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2236 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2237
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2238 SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2239
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2240 if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2241
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2242 if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2243 SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2244 }
1015
32ebb6b13ff3 ssl_session_timeout was set only if builtin cache was used
Igor Sysoev <igor@sysoev.ru>
parents: 1014
diff changeset
2245 }
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2246
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2247 if (shm_zone) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2248 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2249 SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2250 SSL_CTX_sess_set_remove_cb(ssl->ctx, ngx_ssl_remove_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2251
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2252 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_cache_index, shm_zone)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2253 == 0)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2254 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2255 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2256 "SSL_CTX_set_ex_data() failed");
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2257 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2258 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2259 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2260
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2261 return NGX_OK;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2262 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2263
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2264
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2265 static ngx_int_t
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2266 ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx)
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2267 {
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2268 int n, i;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2269 X509 *cert;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2270 X509_NAME *name;
6490
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
2271 EVP_MD_CTX *md;
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2272 unsigned int len;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2273 STACK_OF(X509_NAME) *list;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2274 u_char buf[EVP_MAX_MD_SIZE];
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2275
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2276 /*
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2277 * Session ID context is set based on the string provided,
6548
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
2278 * the server certificates, and the client CA list.
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2279 */
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2280
6490
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
2281 md = EVP_MD_CTX_create();
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
2282 if (md == NULL) {
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
2283 return NGX_ERROR;
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
2284 }
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
2285
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
2286 if (EVP_DigestInit_ex(md, EVP_sha1(), NULL) == 0) {
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2287 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2288 "EVP_DigestInit_ex() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2289 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2290 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2291
6490
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
2292 if (EVP_DigestUpdate(md, sess_ctx->data, sess_ctx->len) == 0) {
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2293 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2294 "EVP_DigestUpdate() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2295 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2296 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2297
6548
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
2298 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
2299 cert;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
2300 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
2301 {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
2302 if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
2303 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
2304 "X509_digest() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
2305 goto failed;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
2306 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
2307
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
2308 if (EVP_DigestUpdate(md, buf, len) == 0) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
2309 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
2310 "EVP_DigestUpdate() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
2311 goto failed;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
2312 }
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2313 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2314
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2315 list = SSL_CTX_get_client_CA_list(ssl->ctx);
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2316
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2317 if (list != NULL) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2318 n = sk_X509_NAME_num(list);
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2319
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2320 for (i = 0; i < n; i++) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2321 name = sk_X509_NAME_value(list, i);
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2322
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2323 if (X509_NAME_digest(name, EVP_sha1(), buf, &len) == 0) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2324 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2325 "X509_NAME_digest() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2326 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2327 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2328
6490
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
2329 if (EVP_DigestUpdate(md, buf, len) == 0) {
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2330 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2331 "EVP_DigestUpdate() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2332 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2333 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2334 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2335 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2336
6490
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
2337 if (EVP_DigestFinal_ex(md, buf, &len) == 0) {
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2338 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2339 "EVP_DigestUpdate() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2340 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2341 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2342
6490
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
2343 EVP_MD_CTX_destroy(md);
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2344
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2345 if (SSL_CTX_set_session_id_context(ssl->ctx, buf, len) == 0) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2346 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2347 "SSL_CTX_set_session_id_context() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2348 return NGX_ERROR;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2349 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2350
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2351 return NGX_OK;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2352
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2353 failed:
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2354
6490
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
2355 EVP_MD_CTX_destroy(md);
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2356
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2357 return NGX_ERROR;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2358 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2359
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
2360
3992
a1dd9dc754ab A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents: 3962
diff changeset
2361 ngx_int_t
993
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
2362 ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data)
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2363 {
2611
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
2364 size_t len;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2365 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2366 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2367
993
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
2368 if (data) {
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
2369 shm_zone->data = data;
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
2370 return NGX_OK;
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
2371 }
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
2372
5640
4c6ceca4f5f7 Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5634
diff changeset
2373 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
4c6ceca4f5f7 Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5634
diff changeset
2374
2720
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
2375 if (shm_zone->shm.exists) {
5640
4c6ceca4f5f7 Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5634
diff changeset
2376 shm_zone->data = shpool->data;
2720
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
2377 return NGX_OK;
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
2378 }
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
2379
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2380 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t));
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2381 if (cache == NULL) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2382 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2383 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2384
2720
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
2385 shpool->data = cache;
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
2386 shm_zone->data = cache;
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
2387
1759
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
2388 ngx_rbtree_init(&cache->session_rbtree, &cache->sentinel,
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
2389 ngx_ssl_session_rbtree_insert_value);
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
2390
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2391 ngx_queue_init(&cache->expire_queue);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2392
2716
d5896f6608e8 move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2710
diff changeset
2393 len = sizeof(" in SSL session shared cache \"\"") + shm_zone->shm.name.len;
2611
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
2394
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
2395 shpool->log_ctx = ngx_slab_alloc(shpool, len);
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
2396 if (shpool->log_ctx == NULL) {
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
2397 return NGX_ERROR;
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
2398 }
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
2399
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
2400 ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z",
2716
d5896f6608e8 move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2710
diff changeset
2401 &shm_zone->shm.name);
2611
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
2402
5634
5024d29354f1 Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5573
diff changeset
2403 shpool->log_nomem = 0;
5024d29354f1 Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5573
diff changeset
2404
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2405 return NGX_OK;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2406 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2407
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2408
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2409 /*
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
2410 * The length of the session id is 16 bytes for SSLv2 sessions and
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
2411 * between 1 and 32 bytes for SSLv3/TLSv1, typically 32 bytes.
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
2412 * It seems that the typical length of the external ASN1 representation
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
2413 * of a session is 118 or 119 bytes for SSLv3/TSLv1.
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2414 *
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2415 * Thus on 32-bit platforms we allocate separately an rbtree node,
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2416 * a session id, and an ASN1 representation, they take accordingly
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2417 * 64, 32, and 128 bytes.
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2418 *
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2419 * On 64-bit platforms we allocate separately an rbtree node + session_id,
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2420 * and an ASN1 representation, they take accordingly 128 and 128 bytes.
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
2421 *
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2422 * OpenSSL's i2d_SSL_SESSION() and d2i_SSL_SESSION are slow,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2423 * so they are outside the code locked by shared pool mutex
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2424 */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2425
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2426 static int
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2427 ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2428 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2429 int len;
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2430 u_char *p, *id, *cached_sess, *session_id;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2431 uint32_t hash;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2432 SSL_CTX *ssl_ctx;
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2433 unsigned int session_id_length;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2434 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2435 ngx_connection_t *c;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2436 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2437 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2438 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2439 u_char buf[NGX_SSL_MAX_SESSION_SIZE];
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2440
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2441 len = i2d_SSL_SESSION(sess, NULL);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2442
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2443 /* do not cache too big session */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2444
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2445 if (len > (int) NGX_SSL_MAX_SESSION_SIZE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2446 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2447 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2448
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2449 p = buf;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2450 i2d_SSL_SESSION(sess, &p);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2451
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2452 c = ngx_ssl_get_connection(ssl_conn);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2453
6261
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6259
diff changeset
2454 ssl_ctx = c->ssl->session_ctx;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2455 shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2456
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2457 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2458 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2459
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2460 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2461
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2462 /* drop one or two expired sessions */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2463 ngx_ssl_expire_sessions(cache, shpool, 1);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2464
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
2465 cached_sess = ngx_slab_alloc_locked(shpool, len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2466
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2467 if (cached_sess == NULL) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2468
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2469 /* drop the oldest non-expired session and try once more */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2470
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2471 ngx_ssl_expire_sessions(cache, shpool, 0);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2472
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
2473 cached_sess = ngx_slab_alloc_locked(shpool, len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2474
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2475 if (cached_sess == NULL) {
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2476 sess_id = NULL;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2477 goto failed;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2478 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2479 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2480
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2481 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t));
5081
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2482
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2483 if (sess_id == NULL) {
5081
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2484
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2485 /* drop the oldest non-expired session and try once more */
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2486
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2487 ngx_ssl_expire_sessions(cache, shpool, 0);
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2488
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2489 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t));
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2490
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2491 if (sess_id == NULL) {
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2492 goto failed;
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2493 }
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2494 }
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2495
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2496 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2497
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2498 session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2499
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2500 #else
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2501
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2502 session_id = sess->session_id;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2503 session_id_length = sess->session_id_length;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2504
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2505 #endif
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2506
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2507 #if (NGX_PTR_SIZE == 8)
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2508
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2509 id = sess_id->sess_id;
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2510
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2511 #else
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2512
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2513 id = ngx_slab_alloc_locked(shpool, session_id_length);
5081
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2514
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2515 if (id == NULL) {
5081
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2516
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2517 /* drop the oldest non-expired session and try once more */
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2518
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2519 ngx_ssl_expire_sessions(cache, shpool, 0);
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2520
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2521 id = ngx_slab_alloc_locked(shpool, session_id_length);
5081
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2522
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2523 if (id == NULL) {
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2524 goto failed;
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
2525 }
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2526 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2527
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2528 #endif
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2529
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
2530 ngx_memcpy(cached_sess, buf, len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2531
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2532 ngx_memcpy(id, session_id, session_id_length);
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2533
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2534 hash = ngx_crc32_short(session_id, session_id_length);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2535
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2536 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2537 "ssl new session: %08XD:%ud:%d",
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2538 hash, session_id_length, len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2539
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2540 sess_id->node.key = hash;
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2541 sess_id->node.data = (u_char) session_id_length;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2542 sess_id->id = id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2543 sess_id->len = len;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2544 sess_id->session = cached_sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2545
1757
7ab8bd535eed use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents: 1756
diff changeset
2546 sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2547
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2548 ngx_queue_insert_head(&cache->expire_queue, &sess_id->queue);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2549
1759
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
2550 ngx_rbtree_insert(&cache->session_rbtree, &sess_id->node);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2551
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2552 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2553
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2554 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2555
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2556 failed:
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2557
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2558 if (cached_sess) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2559 ngx_slab_free_locked(shpool, cached_sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2560 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2561
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2562 if (sess_id) {
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2563 ngx_slab_free_locked(shpool, sess_id);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2564 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2565
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2566 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2567
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2568 ngx_log_error(NGX_LOG_ALERT, c->log, 0,
5634
5024d29354f1 Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5573
diff changeset
2569 "could not allocate new session%s", shpool->log_ctx);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2570
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2571 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2572 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2573
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2574
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2575 static ngx_ssl_session_t *
6487
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
2576 ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
2577 #if OPENSSL_VERSION_NUMBER >= 0x10100003L
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
2578 const
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
2579 #endif
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
2580 u_char *id, int len, int *copy)
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2581 {
989
5595e47d4f17 d2i_SSL_SESSION() was changed in 0.9.7f
Igor Sysoev <igor@sysoev.ru>
parents: 974
diff changeset
2582 #if OPENSSL_VERSION_NUMBER >= 0x0090707fL
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2583 const
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2584 #endif
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2585 u_char *p;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2586 uint32_t hash;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2587 ngx_int_t rc;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2588 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2589 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2590 ngx_rbtree_node_t *node, *sentinel;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2591 ngx_ssl_session_t *sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2592 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2593 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2594 u_char buf[NGX_SSL_MAX_SESSION_SIZE];
3961
4048aa055411 fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents: 3960
diff changeset
2595 ngx_connection_t *c;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2596
6487
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
2597 hash = ngx_crc32_short((u_char *) (uintptr_t) id, (size_t) len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2598 *copy = 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2599
3961
4048aa055411 fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents: 3960
diff changeset
2600 c = ngx_ssl_get_connection(ssl_conn);
4048aa055411 fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents: 3960
diff changeset
2601
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2602 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
3155
e720c4a68ee0 fix debug log message
Igor Sysoev <igor@sysoev.ru>
parents: 3154
diff changeset
2603 "ssl get session: %08XD:%d", hash, len);
6261
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6259
diff changeset
2604
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6259
diff changeset
2605 shm_zone = SSL_CTX_get_ex_data(c->ssl->session_ctx,
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2606 ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2607
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2608 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2609
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2610 sess = NULL;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2611
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2612 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2613
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2614 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2615
1759
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
2616 node = cache->session_rbtree.root;
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
2617 sentinel = cache->session_rbtree.sentinel;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2618
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2619 while (node != sentinel) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2620
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2621 if (hash < node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2622 node = node->left;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2623 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2624 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2625
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2626 if (hash > node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2627 node = node->right;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2628 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2629 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2630
1013
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
2631 /* hash == node->key */
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
2632
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2633 sess_id = (ngx_ssl_sess_id_t *) node;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2634
6487
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
2635 rc = ngx_memn2cmp((u_char *) (uintptr_t) id, sess_id->id,
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
2636 (size_t) len, (size_t) node->data);
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2637
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2638 if (rc == 0) {
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2639
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2640 if (sess_id->expire > ngx_time()) {
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2641 ngx_memcpy(buf, sess_id->session, sess_id->len);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2642
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2643 ngx_shmtx_unlock(&shpool->mutex);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2644
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2645 p = buf;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2646 sess = d2i_SSL_SESSION(NULL, &p, sess_id->len);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2647
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2648 return sess;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2649 }
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2650
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2651 ngx_queue_remove(&sess_id->queue);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2652
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2653 ngx_rbtree_delete(&cache->session_rbtree, node);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2654
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2655 ngx_slab_free_locked(shpool, sess_id->session);
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2656 #if (NGX_PTR_SIZE == 4)
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2657 ngx_slab_free_locked(shpool, sess_id->id);
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2658 #endif
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2659 ngx_slab_free_locked(shpool, sess_id);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2660
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2661 sess = NULL;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2662
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2663 goto done;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2664 }
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2665
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2666 node = (rc < 0) ? node->left : node->right;
1013
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
2667 }
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2668
1013
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
2669 done:
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2670
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2671 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2672
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2673 return sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2674 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2675
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2676
1924
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2677 void
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2678 ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2679 {
6474
Ruslan Ermilov <ru@nginx.com>
parents: 6407
diff changeset
2680 SSL_CTX_remove_session(ssl, sess);
Ruslan Ermilov <ru@nginx.com>
parents: 6407
diff changeset
2681
Ruslan Ermilov <ru@nginx.com>
parents: 6407
diff changeset
2682 ngx_ssl_remove_session(ssl, sess);
1924
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2683 }
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2684
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2685
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2686 static void
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2687 ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2688 {
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2689 u_char *id;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2690 uint32_t hash;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2691 ngx_int_t rc;
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2692 unsigned int len;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2693 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2694 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2695 ngx_rbtree_node_t *node, *sentinel;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2696 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2697 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2698
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2699 shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2700
1924
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2701 if (shm_zone == NULL) {
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2702 return;
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2703 }
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2704
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2705 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2706
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2707 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2708
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2709 id = (u_char *) SSL_SESSION_get_id(sess, &len);
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2710
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2711 #else
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2712
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2713 id = sess->session_id;
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2714 len = sess->session_id_length;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2715
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2716 #endif
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2717
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2718 hash = ngx_crc32_short(id, len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2719
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2720 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
2721 "ssl remove session: %08XD:%ud", hash, len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2722
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2723 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2724
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2725 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2726
1759
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
2727 node = cache->session_rbtree.root;
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
2728 sentinel = cache->session_rbtree.sentinel;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2729
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2730 while (node != sentinel) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2731
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2732 if (hash < node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2733 node = node->left;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2734 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2735 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2736
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2737 if (hash > node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2738 node = node->right;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2739 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2740 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2741
1013
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
2742 /* hash == node->key */
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2743
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2744 sess_id = (ngx_ssl_sess_id_t *) node;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2745
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2746 rc = ngx_memn2cmp(id, sess_id->id, len, (size_t) node->data);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2747
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2748 if (rc == 0) {
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2749
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2750 ngx_queue_remove(&sess_id->queue);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2751
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2752 ngx_rbtree_delete(&cache->session_rbtree, node);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2753
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2754 ngx_slab_free_locked(shpool, sess_id->session);
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2755 #if (NGX_PTR_SIZE == 4)
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2756 ngx_slab_free_locked(shpool, sess_id->id);
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2757 #endif
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2758 ngx_slab_free_locked(shpool, sess_id);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2759
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2760 goto done;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2761 }
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2762
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2763 node = (rc < 0) ? node->left : node->right;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2764 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2765
1013
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
2766 done:
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
2767
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2768 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2769 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2770
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2771
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2772 static void
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2773 ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2774 ngx_slab_pool_t *shpool, ngx_uint_t n)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2775 {
1757
7ab8bd535eed use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents: 1756
diff changeset
2776 time_t now;
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2777 ngx_queue_t *q;
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
2778 ngx_ssl_sess_id_t *sess_id;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2779
1757
7ab8bd535eed use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents: 1756
diff changeset
2780 now = ngx_time();
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2781
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2782 while (n < 3) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2783
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2784 if (ngx_queue_empty(&cache->expire_queue)) {
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2785 return;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2786 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2787
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2788 q = ngx_queue_last(&cache->expire_queue);
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2789
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2790 sess_id = ngx_queue_data(q, ngx_ssl_sess_id_t, queue);
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2791
1757
7ab8bd535eed use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents: 1756
diff changeset
2792 if (n++ != 0 && sess_id->expire > now) {
1439
36548ad85be1 style fix
Igor Sysoev <igor@sysoev.ru>
parents: 1426
diff changeset
2793 return;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2794 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2795
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2796 ngx_queue_remove(q);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2797
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2798 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2799 "expire session: %08Xi", sess_id->node.key);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2800
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2801 ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node);
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2802
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
2803 ngx_slab_free_locked(shpool, sess_id->session);
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2804 #if (NGX_PTR_SIZE == 4)
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2805 ngx_slab_free_locked(shpool, sess_id->id);
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2806 #endif
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2807 ngx_slab_free_locked(shpool, sess_id);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2808 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2809 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2810
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2811
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2812 static void
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2813 ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2814 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel)
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2815 {
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2816 ngx_rbtree_node_t **p;
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2817 ngx_ssl_sess_id_t *sess_id, *sess_id_temp;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2818
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2819 for ( ;; ) {
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2820
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2821 if (node->key < temp->key) {
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2822
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2823 p = &temp->left;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2824
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2825 } else if (node->key > temp->key) {
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2826
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2827 p = &temp->right;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2828
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2829 } else { /* node->key == temp->key */
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2830
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2831 sess_id = (ngx_ssl_sess_id_t *) node;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2832 sess_id_temp = (ngx_ssl_sess_id_t *) temp;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2833
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2834 p = (ngx_memn2cmp(sess_id->id, sess_id_temp->id,
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2835 (size_t) node->data, (size_t) temp->data)
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2836 < 0) ? &temp->left : &temp->right;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2837 }
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2838
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2839 if (*p == sentinel) {
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2840 break;
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2841 }
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2842
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2843 temp = *p;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2844 }
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2845
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2846 *p = node;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2847 node->parent = temp;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2848 node->left = sentinel;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2849 node->right = sentinel;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2850 ngx_rbt_red(node);
1043
7073b87fa8e9 style fix: remove trailing spaces
Igor Sysoev <igor@sysoev.ru>
parents: 1029
diff changeset
2851 }
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2852
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2853
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2854 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2855
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2856 ngx_int_t
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2857 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2858 {
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2859 u_char buf[80];
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2860 size_t size;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2861 ssize_t n;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2862 ngx_str_t *path;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2863 ngx_file_t file;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2864 ngx_uint_t i;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2865 ngx_array_t *keys;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2866 ngx_file_info_t fi;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2867 ngx_ssl_session_ticket_key_t *key;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2868
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2869 if (paths == NULL) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2870 return NGX_OK;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2871 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2872
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2873 keys = ngx_array_create(cf->pool, paths->nelts,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2874 sizeof(ngx_ssl_session_ticket_key_t));
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2875 if (keys == NULL) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2876 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2877 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2878
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2879 path = paths->elts;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2880 for (i = 0; i < paths->nelts; i++) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2881
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2882 if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2883 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2884 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2885
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2886 ngx_memzero(&file, sizeof(ngx_file_t));
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2887 file.name = path[i];
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2888 file.log = cf->log;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2889
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2890 file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, 0, 0);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2891 if (file.fd == NGX_INVALID_FILE) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2892 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2893 ngx_open_file_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2894 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2895 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2896
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2897 if (ngx_fd_info(file.fd, &fi) == NGX_FILE_ERROR) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2898 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2899 ngx_fd_info_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2900 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2901 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2902
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2903 size = ngx_file_size(&fi);
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2904
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2905 if (size != 48 && size != 80) {
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2906 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2907 "\"%V\" must be 48 or 80 bytes", &file.name);
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2908 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2909 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2910
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2911 n = ngx_read_file(&file, buf, size, 0);
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2912
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2913 if (n == NGX_ERROR) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2914 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2915 ngx_read_file_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2916 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2917 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2918
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2919 if ((size_t) n != size) {
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2920 ngx_conf_log_error(NGX_LOG_CRIT, cf, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2921 ngx_read_file_n " \"%V\" returned only "
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2922 "%z bytes instead of %uz", &file.name, n, size);
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2923 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2924 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2925
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2926 key = ngx_array_push(keys);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2927 if (key == NULL) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2928 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2929 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2930
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2931 if (size == 48) {
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2932 key->size = 48;
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2933 ngx_memcpy(key->name, buf, 16);
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2934 ngx_memcpy(key->aes_key, buf + 16, 16);
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2935 ngx_memcpy(key->hmac_key, buf + 32, 16);
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2936
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2937 } else {
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2938 key->size = 80;
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2939 ngx_memcpy(key->name, buf, 16);
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2940 ngx_memcpy(key->hmac_key, buf + 16, 32);
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2941 ngx_memcpy(key->aes_key, buf + 48, 32);
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2942 }
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2943
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2944 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2945 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2946 ngx_close_file_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2947 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2948 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2949
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2950 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2951 == 0)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2952 {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2953 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2954 "SSL_CTX_set_ex_data() failed");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2955 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2956 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2957
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2958 if (SSL_CTX_set_tlsext_ticket_key_cb(ssl->ctx,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2959 ngx_ssl_session_ticket_key_callback)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2960 == 0)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2961 {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2962 ngx_log_error(NGX_LOG_WARN, cf->log, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2963 "nginx was built with Session Tickets support, however, "
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2964 "now it is linked dynamically to an OpenSSL library "
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2965 "which has no tlsext support, therefore Session Tickets "
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2966 "are not available");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2967 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2968
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2969 return NGX_OK;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2970
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2971 failed:
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2972
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2973 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2974 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2975 ngx_close_file_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2976 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2977
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2978 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2979 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2980
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2981
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2982 static int
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2983 ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2984 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2985 HMAC_CTX *hctx, int enc)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2986 {
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
2987 size_t size;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2988 SSL_CTX *ssl_ctx;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2989 ngx_uint_t i;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2990 ngx_array_t *keys;
6261
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6259
diff changeset
2991 ngx_connection_t *c;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2992 ngx_ssl_session_ticket_key_t *key;
6686
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6660
diff changeset
2993 const EVP_MD *digest;
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6660
diff changeset
2994 const EVP_CIPHER *cipher;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2995 #if (NGX_DEBUG)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2996 u_char buf[32];
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2997 #endif
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
2998
6261
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6259
diff changeset
2999 c = ngx_ssl_get_connection(ssl_conn);
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6259
diff changeset
3000 ssl_ctx = c->ssl->session_ctx;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3001
6686
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6660
diff changeset
3002 #ifdef OPENSSL_NO_SHA256
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6660
diff changeset
3003 digest = EVP_sha1();
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6660
diff changeset
3004 #else
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6660
diff changeset
3005 digest = EVP_sha256();
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6660
diff changeset
3006 #endif
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6660
diff changeset
3007
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3008 keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3009 if (keys == NULL) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3010 return -1;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3011 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3012
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3013 key = keys->elts;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3014
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3015 if (enc == 1) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3016 /* encrypt session ticket */
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3017
5657
3b48f9e69e70 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5640
diff changeset
3018 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3019 "ssl session ticket encrypt, key: \"%*s\" (%s session)",
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3020 ngx_hex_dump(buf, key[0].name, 16) - buf, buf,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3021 SSL_session_reused(ssl_conn) ? "reused" : "new");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3022
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3023 if (key[0].size == 48) {
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3024 cipher = EVP_aes_128_cbc();
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3025 size = 16;
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3026
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3027 } else {
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3028 cipher = EVP_aes_256_cbc();
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3029 size = 32;
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3030 }
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3031
6687
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3032 if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) {
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3033 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "RAND_bytes() failed");
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3034 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3035 }
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3036
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3037 if (EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv) != 1) {
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3038 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3039 "EVP_EncryptInit_ex() failed");
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3040 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3041 }
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3042
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3043 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3044 if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) {
6687
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3045 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3046 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3047 }
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3048 #else
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3049 HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL);
6687
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3050 #endif
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3051
5760
4b668378ad8b Style: use ngx_memcpy() instead of memcpy().
Piotr Sikora <piotr@cloudflare.com>
parents: 5756
diff changeset
3052 ngx_memcpy(name, key[0].name, 16);
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3053
6660
3eb1a92a2f05 SSL: adopted session ticket handling for OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6659
diff changeset
3054 return 1;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3055
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3056 } else {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3057 /* decrypt session ticket */
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3058
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3059 for (i = 0; i < keys->nelts; i++) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3060 if (ngx_memcmp(name, key[i].name, 16) == 0) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3061 goto found;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3062 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3063 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3064
5657
3b48f9e69e70 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5640
diff changeset
3065 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3066 "ssl session ticket decrypt, key: \"%*s\" not found",
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3067 ngx_hex_dump(buf, name, 16) - buf, buf);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3068
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3069 return 0;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3070
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3071 found:
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3072
5657
3b48f9e69e70 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5640
diff changeset
3073 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3074 "ssl session ticket decrypt, key: \"%*s\"%s",
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3075 ngx_hex_dump(buf, key[i].name, 16) - buf, buf,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3076 (i == 0) ? " (default)" : "");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3077
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3078 if (key[i].size == 48) {
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3079 cipher = EVP_aes_128_cbc();
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3080 size = 16;
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3081
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3082 } else {
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3083 cipher = EVP_aes_256_cbc();
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3084 size = 32;
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3085 }
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3086
6687
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3087 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3088 if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) {
6687
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3089 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3090 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3091 }
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3092 #else
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
3093 HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL);
6687
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3094 #endif
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3095
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3096 if (EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv) != 1) {
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3097 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3098 "EVP_DecryptInit_ex() failed");
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3099 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
3100 }
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3101
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3102 return (i == 0) ? 1 : 2 /* renew */;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3103 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3104 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3105
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3106 #else
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3107
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3108 ngx_int_t
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3109 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3110 {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3111 if (paths) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3112 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3113 "\"ssl_session_ticket_keys\" ignored, not supported");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3114 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3115
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3116 return NGX_OK;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3117 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3118
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3119 #endif
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3120
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
3121
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
3122 void
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
3123 ngx_ssl_cleanup_ctx(void *data)
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
3124 {
589
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
3125 ngx_ssl_t *ssl = data;
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
3126
6548
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3127 X509 *cert, *next;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3128
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3129 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3130
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3131 while (cert) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3132 next = X509_get_ex_data(cert, ngx_ssl_next_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3133 X509_free(cert);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3134 cert = next;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3135 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3136
589
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
3137 SSL_CTX_free(ssl->ctx);
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
3138 }
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
3139
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
3140
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3141 ngx_int_t
5661
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3142 ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name)
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3143 {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3144 X509 *cert;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3145
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3146 cert = SSL_get_peer_certificate(c->ssl->connection);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3147 if (cert == NULL) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3148 return NGX_ERROR;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3149 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3150
6725
9b9ae81cd4f0 SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6699
diff changeset
3151 #ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
5661
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3152
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3153 /* X509_check_host() is only available in OpenSSL 1.0.2+ */
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3154
5669
cac82b9b3499 SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5666
diff changeset
3155 if (name->len == 0) {
cac82b9b3499 SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5666
diff changeset
3156 goto failed;
cac82b9b3499 SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5666
diff changeset
3157 }
cac82b9b3499 SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5666
diff changeset
3158
5767
abd460ece11e SSL: fix build with recent OpenSSL.
Piotr Sikora <piotr@cloudflare.com>
parents: 5760
diff changeset
3159 if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) {
5661
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3160 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3161 "X509_check_host(): no match");
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3162 goto failed;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3163 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3164
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3165 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3166 "X509_check_host(): match");
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3167
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3168 goto found;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3169
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3170 #else
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3171 {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3172 int n, i;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3173 X509_NAME *sname;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3174 ASN1_STRING *str;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3175 X509_NAME_ENTRY *entry;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3176 GENERAL_NAME *altname;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3177 STACK_OF(GENERAL_NAME) *altnames;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3178
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3179 /*
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3180 * As per RFC6125 and RFC2818, we check subjectAltName extension,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3181 * and if it's not present - commonName in Subject is checked.
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3182 */
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3183
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3184 altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3185
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3186 if (altnames) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3187 n = sk_GENERAL_NAME_num(altnames);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3188
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3189 for (i = 0; i < n; i++) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3190 altname = sk_GENERAL_NAME_value(altnames, i);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3191
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3192 if (altname->type != GEN_DNS) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3193 continue;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3194 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3195
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3196 str = altname->d.dNSName;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3197
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3198 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3199 "SSL subjectAltName: \"%*s\"",
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3200 ASN1_STRING_length(str), ASN1_STRING_data(str));
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3201
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3202 if (ngx_ssl_check_name(name, str) == NGX_OK) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3203 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3204 "SSL subjectAltName: match");
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3205 GENERAL_NAMES_free(altnames);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3206 goto found;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3207 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3208 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3209
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3210 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3211 "SSL subjectAltName: no match");
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3212
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3213 GENERAL_NAMES_free(altnames);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3214 goto failed;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3215 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3216
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3217 /*
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3218 * If there is no subjectAltName extension, check commonName
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3219 * in Subject. While RFC2818 requires to only check "most specific"
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3220 * CN, both Apache and OpenSSL check all CNs, and so do we.
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3221 */
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3222
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3223 sname = X509_get_subject_name(cert);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3224
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3225 if (sname == NULL) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3226 goto failed;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3227 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3228
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3229 i = -1;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3230 for ( ;; ) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3231 i = X509_NAME_get_index_by_NID(sname, NID_commonName, i);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3232
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3233 if (i < 0) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3234 break;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3235 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3236
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3237 entry = X509_NAME_get_entry(sname, i);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3238 str = X509_NAME_ENTRY_get_data(entry);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3239
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3240 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3241 "SSL commonName: \"%*s\"",
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3242 ASN1_STRING_length(str), ASN1_STRING_data(str));
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3243
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3244 if (ngx_ssl_check_name(name, str) == NGX_OK) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3245 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3246 "SSL commonName: match");
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3247 goto found;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3248 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3249 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3250
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3251 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3252 "SSL commonName: no match");
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3253 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3254 #endif
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3255
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3256 failed:
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3257
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3258 X509_free(cert);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3259 return NGX_ERROR;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3260
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3261 found:
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3262
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3263 X509_free(cert);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3264 return NGX_OK;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3265 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3266
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3267
6725
9b9ae81cd4f0 SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6699
diff changeset
3268 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
5661
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3269
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3270 static ngx_int_t
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3271 ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern)
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3272 {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3273 u_char *s, *p, *end;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3274 size_t slen, plen;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3275
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3276 s = name->data;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3277 slen = name->len;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3278
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3279 p = ASN1_STRING_data(pattern);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3280 plen = ASN1_STRING_length(pattern);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3281
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3282 if (slen == plen && ngx_strncasecmp(s, p, plen) == 0) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3283 return NGX_OK;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3284 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3285
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3286 if (plen > 2 && p[0] == '*' && p[1] == '.') {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3287 plen -= 1;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3288 p += 1;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3289
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3290 end = s + slen;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3291 s = ngx_strlchr(s, end, '.');
5666
a77c0839c993 SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5661
diff changeset
3292
a77c0839c993 SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5661
diff changeset
3293 if (s == NULL) {
a77c0839c993 SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5661
diff changeset
3294 return NGX_ERROR;
a77c0839c993 SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5661
diff changeset
3295 }
a77c0839c993 SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5661
diff changeset
3296
5661
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3297 slen = end - s;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3298
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3299 if (plen == slen && ngx_strncasecmp(s, p, plen) == 0) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3300 return NGX_OK;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3301 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3302 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3303
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3304 return NGX_ERROR;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3305 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3306
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3307 #endif
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3308
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3309
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
3310 ngx_int_t
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3311 ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
3312 {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3313 s->data = (u_char *) SSL_get_version(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3314 return NGX_OK;
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
3315 }
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
3316
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
3317
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3318 ngx_int_t
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3319 ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
3320 {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3321 s->data = (u_char *) SSL_get_cipher_name(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3322 return NGX_OK;
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
3323 }
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
3324
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
3325
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3326 ngx_int_t
6816
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3327 ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3328 {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3329 #ifdef SSL_CTRL_GET_RAW_CIPHERLIST
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3330
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3331 int n, i, bytes;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3332 size_t len;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3333 u_char *ciphers, *p;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3334 const SSL_CIPHER *cipher;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3335
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3336 bytes = SSL_get0_raw_cipherlist(c->ssl->connection, NULL);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3337 n = SSL_get0_raw_cipherlist(c->ssl->connection, &ciphers);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3338
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3339 if (n <= 0) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3340 s->len = 0;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3341 return NGX_OK;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3342 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3343
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3344 len = 0;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3345 n /= bytes;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3346
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3347 for (i = 0; i < n; i++) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3348 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3349
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3350 if (cipher) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3351 len += ngx_strlen(SSL_CIPHER_get_name(cipher));
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3352
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3353 } else {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3354 len += sizeof("0x") - 1 + bytes * (sizeof("00") - 1);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3355 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3356
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3357 len += sizeof(":") - 1;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3358 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3359
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3360 s->data = ngx_pnalloc(pool, len);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3361 if (s->data == NULL) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3362 return NGX_ERROR;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3363 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3364
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3365 p = s->data;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3366
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3367 for (i = 0; i < n; i++) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3368 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3369
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3370 if (cipher) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3371 p = ngx_sprintf(p, "%s", SSL_CIPHER_get_name(cipher));
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3372
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3373 } else {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3374 p = ngx_sprintf(p, "0x");
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3375 p = ngx_hex_dump(p, ciphers + i * bytes, bytes);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3376 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3377
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3378 *p++ = ':';
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3379 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3380
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3381 p--;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3382
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3383 s->len = p - s->data;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3384
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3385 #else
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3386
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3387 u_char buf[4096];
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3388
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3389 if (SSL_get_shared_ciphers(c->ssl->connection, (char *) buf, 4096)
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3390 == NULL)
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3391 {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3392 s->len = 0;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3393 return NGX_OK;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3394 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3395
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3396 s->len = ngx_strlen(buf);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3397 s->data = ngx_pnalloc(pool, s->len);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3398 if (s->data == NULL) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3399 return NGX_ERROR;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3400 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3401
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3402 ngx_memcpy(s->data, buf, s->len);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3403
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3404 #endif
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3405
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3406 return NGX_OK;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3407 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3408
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3409
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
3410 ngx_int_t
6817
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3411 ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3412 {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3413 #ifdef SSL_CTRL_GET_CURVES
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3414
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3415 int *curves, n, i, nid;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3416 u_char *p;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3417 size_t len;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3418
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3419 n = SSL_get1_curves(c->ssl->connection, NULL);
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3420
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3421 if (n <= 0) {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3422 s->len = 0;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3423 return NGX_OK;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3424 }
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3425
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3426 curves = ngx_palloc(pool, n * sizeof(int));
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3427
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3428 n = SSL_get1_curves(c->ssl->connection, curves);
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3429 len = 0;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3430
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3431 for (i = 0; i < n; i++) {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3432 nid = curves[i];
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3433
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3434 if (nid & TLSEXT_nid_unknown) {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3435 len += sizeof("0x0000") - 1;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3436
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3437 } else {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3438 len += ngx_strlen(OBJ_nid2sn(nid));
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3439 }
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3440
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3441 len += sizeof(":") - 1;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3442 }
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3443
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3444 s->data = ngx_pnalloc(pool, len);
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3445 if (s->data == NULL) {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3446 return NGX_ERROR;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3447 }
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3448
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3449 p = s->data;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3450
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3451 for (i = 0; i < n; i++) {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3452 nid = curves[i];
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3453
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3454 if (nid & TLSEXT_nid_unknown) {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3455 p = ngx_sprintf(p, "0x%04xd", nid & 0xffff);
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3456
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3457 } else {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3458 p = ngx_sprintf(p, "%s", OBJ_nid2sn(nid));
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3459 }
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3460
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3461 *p++ = ':';
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3462 }
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3463
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3464 p--;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3465
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3466 s->len = p - s->data;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3467
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3468 #else
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3469
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3470 s->len = 0;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3471
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3472 #endif
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3473
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3474 return NGX_OK;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3475 }
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3476
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3477
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
3478 ngx_int_t
3154
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3479 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3480 {
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3481 u_char *buf;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3482 SSL_SESSION *sess;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3483 unsigned int len;
3154
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3484
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3485 sess = SSL_get0_session(c->ssl->connection);
5537
49b1ad48b55c SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5531
diff changeset
3486 if (sess == NULL) {
49b1ad48b55c SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5531
diff changeset
3487 s->len = 0;
49b1ad48b55c SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5531
diff changeset
3488 return NGX_OK;
49b1ad48b55c SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5531
diff changeset
3489 }
3154
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3490
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3491 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3492
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3493 buf = (u_char *) SSL_SESSION_get_id(sess, &len);
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3494
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3495 #else
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3496
5531
97e3769637a7 SSL: fixed $ssl_session_id variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5487
diff changeset
3497 buf = sess->session_id;
97e3769637a7 SSL: fixed $ssl_session_id variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5487
diff changeset
3498 len = sess->session_id_length;
3154
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3499
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3500 #endif
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3501
3154
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3502 s->len = 2 * len;
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3503 s->data = ngx_pnalloc(pool, 2 * len);
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3504 if (s->data == NULL) {
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3505 return NGX_ERROR;
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3506 }
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3507
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3508 ngx_hex_dump(s->data, buf, len);
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3509
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3510 return NGX_OK;
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3511 }
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3512
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3513
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
3514 ngx_int_t
5573
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
3515 ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
3516 {
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
3517 if (SSL_session_reused(c->ssl->connection)) {
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
3518 ngx_str_set(s, "r");
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
3519
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
3520 } else {
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
3521 ngx_str_set(s, ".");
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
3522 }
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
3523
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
3524 return NGX_OK;
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
3525 }
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
3526
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
3527
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
3528 ngx_int_t
5658
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3529 ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3530 {
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3531 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3532
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3533 const char *servername;
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3534
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3535 servername = SSL_get_servername(c->ssl->connection,
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3536 TLSEXT_NAMETYPE_host_name);
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3537 if (servername) {
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3538 s->data = (u_char *) servername;
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3539 s->len = ngx_strlen(servername);
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3540 return NGX_OK;
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3541 }
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3542
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3543 #endif
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3544
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3545 s->len = 0;
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3546 return NGX_OK;
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3547 }
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3548
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3549
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
3550 ngx_int_t
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3551 ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
2045
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3552 {
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3553 size_t len;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3554 BIO *bio;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3555 X509 *cert;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3556
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3557 s->len = 0;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3558
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3559 cert = SSL_get_peer_certificate(c->ssl->connection);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3560 if (cert == NULL) {
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3561 return NGX_OK;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3562 }
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3563
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3564 bio = BIO_new(BIO_s_mem());
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3565 if (bio == NULL) {
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3566 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3567 X509_free(cert);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3568 return NGX_ERROR;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3569 }
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3570
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3571 if (PEM_write_bio_X509(bio, cert) == 0) {
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3572 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed");
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3573 goto failed;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3574 }
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3575
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3576 len = BIO_pending(bio);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3577 s->len = len;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3578
2049
2a92804f4109 *) back out r2040
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
3579 s->data = ngx_pnalloc(pool, len);
2045
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3580 if (s->data == NULL) {
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3581 goto failed;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3582 }
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3583
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3584 BIO_read(bio, s->data, len);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3585
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3586 BIO_free(bio);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3587 X509_free(cert);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3588
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3589 return NGX_OK;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3590
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3591 failed:
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3592
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3593 BIO_free(bio);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3594 X509_free(cert);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3595
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3596 return NGX_ERROR;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3597 }
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3598
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3599
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
3600 ngx_int_t
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3601 ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3602 {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3603 u_char *p;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3604 size_t len;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3605 ngx_uint_t i;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3606 ngx_str_t cert;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3607
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3608 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3609 return NGX_ERROR;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3610 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3611
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3612 if (cert.len == 0) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3613 s->len = 0;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3614 return NGX_OK;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3615 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3616
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3617 len = cert.len - 1;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3618
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3619 for (i = 0; i < cert.len - 1; i++) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3620 if (cert.data[i] == LF) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3621 len++;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3622 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3623 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3624
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3625 s->len = len;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3626 s->data = ngx_pnalloc(pool, len);
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3627 if (s->data == NULL) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3628 return NGX_ERROR;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3629 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3630
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3631 p = s->data;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3632
3002
bf0c7e58e016 fix memory corruption in $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2997
diff changeset
3633 for (i = 0; i < cert.len - 1; i++) {
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3634 *p++ = cert.data[i];
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3635 if (cert.data[i] == LF) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3636 *p++ = '\t';
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3637 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3638 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3639
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3640 return NGX_OK;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3641 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3642
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3643
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
3644 ngx_int_t
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3645 ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3646 {
6780
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3647 BIO *bio;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3648 X509 *cert;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3649 X509_NAME *name;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3650
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3651 s->len = 0;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3652
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3653 cert = SSL_get_peer_certificate(c->ssl->connection);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3654 if (cert == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3655 return NGX_OK;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3656 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3657
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3658 name = X509_get_subject_name(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3659 if (name == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3660 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3661 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3662
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3663 bio = BIO_new(BIO_s_mem());
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3664 if (bio == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3665 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3666 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3667 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3668
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3669 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3670 goto failed;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3671 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3672
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3673 s->len = BIO_pending(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3674 s->data = ngx_pnalloc(pool, s->len);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3675 if (s->data == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3676 goto failed;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3677 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3678
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3679 BIO_read(bio, s->data, s->len);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3680
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3681 BIO_free(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3682 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3683
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3684 return NGX_OK;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3685
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3686 failed:
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3687
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3688 BIO_free(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3689 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3690
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3691 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3692 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3693
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3694
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3695 ngx_int_t
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3696 ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3697 {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3698 BIO *bio;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3699 X509 *cert;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3700 X509_NAME *name;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3701
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3702 s->len = 0;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3703
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3704 cert = SSL_get_peer_certificate(c->ssl->connection);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3705 if (cert == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3706 return NGX_OK;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3707 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3708
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3709 name = X509_get_issuer_name(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3710 if (name == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3711 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3712 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3713
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3714 bio = BIO_new(BIO_s_mem());
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3715 if (bio == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3716 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3717 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3718 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3719
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3720 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3721 goto failed;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3722 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3723
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3724 s->len = BIO_pending(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3725 s->data = ngx_pnalloc(pool, s->len);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3726 if (s->data == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3727 goto failed;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3728 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3729
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3730 BIO_read(bio, s->data, s->len);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3731
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3732 BIO_free(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3733 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3734
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3735 return NGX_OK;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3736
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3737 failed:
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3738
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3739 BIO_free(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3740 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3741
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3742 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3743 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3744
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3745
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3746 ngx_int_t
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3747 ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3748 ngx_str_t *s)
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3749 {
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3750 char *p;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3751 size_t len;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3752 X509 *cert;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3753 X509_NAME *name;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3754
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3755 s->len = 0;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3756
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3757 cert = SSL_get_peer_certificate(c->ssl->connection);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3758 if (cert == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3759 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3760 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3761
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3762 name = X509_get_subject_name(cert);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3763 if (name == NULL) {
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
3764 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3765 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3766 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3767
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3768 p = X509_NAME_oneline(name, NULL, 0);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3769
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3770 for (len = 0; p[len]; len++) { /* void */ }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3771
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3772 s->len = len;
2049
2a92804f4109 *) back out r2040
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
3773 s->data = ngx_pnalloc(pool, len);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3774 if (s->data == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3775 OPENSSL_free(p);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
3776 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3777 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3778 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3779
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3780 ngx_memcpy(s->data, p, len);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3781
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3782 OPENSSL_free(p);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
3783 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3784
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3785 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3786 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3787
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3788
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3789 ngx_int_t
6780
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3790 ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
3791 ngx_str_t *s)
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3792 {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3793 char *p;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3794 size_t len;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3795 X509 *cert;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3796 X509_NAME *name;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3797
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3798 s->len = 0;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3799
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3800 cert = SSL_get_peer_certificate(c->ssl->connection);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3801 if (cert == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3802 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3803 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3804
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3805 name = X509_get_issuer_name(cert);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3806 if (name == NULL) {
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
3807 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3808 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3809 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3810
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3811 p = X509_NAME_oneline(name, NULL, 0);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3812
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3813 for (len = 0; p[len]; len++) { /* void */ }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3814
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3815 s->len = len;
2049
2a92804f4109 *) back out r2040
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
3816 s->data = ngx_pnalloc(pool, len);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3817 if (s->data == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3818 OPENSSL_free(p);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
3819 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3820 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3821 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3822
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3823 ngx_memcpy(s->data, p, len);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3824
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3825 OPENSSL_free(p);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
3826 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3827
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3828 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3829 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3830
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
3831
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3832 ngx_int_t
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3833 ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3834 {
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3835 size_t len;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3836 X509 *cert;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3837 BIO *bio;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3838
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3839 s->len = 0;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3840
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3841 cert = SSL_get_peer_certificate(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3842 if (cert == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3843 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3844 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3845
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3846 bio = BIO_new(BIO_s_mem());
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3847 if (bio == NULL) {
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
3848 X509_free(cert);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3849 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3850 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3851
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3852 i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert));
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3853 len = BIO_pending(bio);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3854
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3855 s->len = len;
2049
2a92804f4109 *) back out r2040
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
3856 s->data = ngx_pnalloc(pool, len);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3857 if (s->data == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3858 BIO_free(bio);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
3859 X509_free(cert);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3860 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3861 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3862
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3863 BIO_read(bio, s->data, len);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3864 BIO_free(bio);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
3865 X509_free(cert);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3866
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3867 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3868 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3869
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
3870
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
3871 ngx_int_t
5700
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3872 ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3873 {
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3874 X509 *cert;
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3875 unsigned int len;
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3876 u_char buf[EVP_MAX_MD_SIZE];
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3877
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3878 s->len = 0;
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3879
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3880 cert = SSL_get_peer_certificate(c->ssl->connection);
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3881 if (cert == NULL) {
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3882 return NGX_OK;
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3883 }
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3884
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3885 if (!X509_digest(cert, EVP_sha1(), buf, &len)) {
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3886 X509_free(cert);
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3887 return NGX_ERROR;
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3888 }
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3889
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3890 s->len = 2 * len;
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3891 s->data = ngx_pnalloc(pool, 2 * len);
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3892 if (s->data == NULL) {
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3893 X509_free(cert);
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3894 return NGX_ERROR;
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3895 }
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3896
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3897 ngx_hex_dump(s->data, buf, len);
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3898
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3899 X509_free(cert);
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3900
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3901 return NGX_OK;
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3902 }
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3903
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3904
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
3905 ngx_int_t
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
3906 ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
3907 {
6814
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3908 X509 *cert;
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3909 long rc;
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3910 const char *str;
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
3911
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
3912 cert = SSL_get_peer_certificate(c->ssl->connection);
6814
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3913 if (cert == NULL) {
3516
dd1570b6f237 ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents: 3488
diff changeset
3914 ngx_str_set(s, "NONE");
6814
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3915 return NGX_OK;
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
3916 }
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
3917
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
3918 X509_free(cert);
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
3919
6814
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3920 rc = SSL_get_verify_result(c->ssl->connection);
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3921
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3922 if (rc == X509_V_OK) {
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3923 ngx_str_set(s, "SUCCESS");
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3924 return NGX_OK;
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3925 }
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3926
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3927 str = X509_verify_cert_error_string(rc);
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3928
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3929 s->data = ngx_pnalloc(pool, sizeof("FAILED:") - 1 + ngx_strlen(str));
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3930 if (s->data == NULL) {
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3931 return NGX_ERROR;
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3932 }
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3933
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3934 s->len = ngx_sprintf(s->data, "FAILED:%s", str) - s->data;
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
3935
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
3936 return NGX_OK;
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
3937 }
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
3938
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
3939
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3940 ngx_int_t
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3941 ngx_ssl_get_client_v_start(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3942 {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3943 BIO *bio;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3944 X509 *cert;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3945 size_t len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3946
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3947 s->len = 0;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3948
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3949 cert = SSL_get_peer_certificate(c->ssl->connection);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3950 if (cert == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3951 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3952 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3953
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3954 bio = BIO_new(BIO_s_mem());
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3955 if (bio == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3956 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3957 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3958 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3959
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3960 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3961 ASN1_TIME_print(bio, X509_get0_notBefore(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3962 #else
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3963 ASN1_TIME_print(bio, X509_get_notBefore(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3964 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3965
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3966 len = BIO_pending(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3967
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3968 s->len = len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3969 s->data = ngx_pnalloc(pool, len);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3970 if (s->data == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3971 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3972 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3973 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3974 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3975
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3976 BIO_read(bio, s->data, len);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3977 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3978 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3979
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3980 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3981 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3982
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3983
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3984 ngx_int_t
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3985 ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3986 {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3987 BIO *bio;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3988 X509 *cert;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3989 size_t len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3990
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3991 s->len = 0;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3992
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3993 cert = SSL_get_peer_certificate(c->ssl->connection);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3994 if (cert == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3995 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3996 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3997
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3998 bio = BIO_new(BIO_s_mem());
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
3999 if (bio == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4000 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4001 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4002 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4003
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4004 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4005 ASN1_TIME_print(bio, X509_get0_notAfter(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4006 #else
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4007 ASN1_TIME_print(bio, X509_get_notAfter(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4008 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4009
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4010 len = BIO_pending(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4011
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4012 s->len = len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4013 s->data = ngx_pnalloc(pool, len);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4014 if (s->data == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4015 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4016 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4017 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4018 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4019
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4020 BIO_read(bio, s->data, len);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4021 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4022 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4023
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4024 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4025 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4026
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4027
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4028 ngx_int_t
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4029 ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4030 {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4031 X509 *cert;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4032 time_t now, end;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4033
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4034 s->len = 0;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4035
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4036 cert = SSL_get_peer_certificate(c->ssl->connection);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4037 if (cert == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4038 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4039 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4040
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4041 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4042 end = ngx_ssl_parse_time(X509_get0_notAfter(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4043 #else
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4044 end = ngx_ssl_parse_time(X509_get_notAfter(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4045 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4046
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4047 if (end == (time_t) NGX_ERROR) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4048 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4049 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4050 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4051
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4052 now = ngx_time();
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4053
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4054 if (end < now + 86400) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4055 ngx_str_set(s, "0");
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4056 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4057 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4058 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4059
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4060 s->data = ngx_pnalloc(pool, NGX_TIME_T_LEN);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4061 if (s->data == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4062 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4063 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4064 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4065
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4066 s->len = ngx_sprintf(s->data, "%T", (end - now) / 86400) - s->data;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4067
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4068 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4069
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4070 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4071 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4072
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4073
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4074 static time_t
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4075 ngx_ssl_parse_time(
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4076 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4077 const
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4078 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4079 ASN1_TIME *asn1time)
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4080 {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4081 BIO *bio;
6842
25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6841
diff changeset
4082 char *value;
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4083 size_t len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4084 time_t time;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4085
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4086 /*
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4087 * OpenSSL doesn't provide a way to convert ASN1_TIME
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4088 * into time_t. To do this, we use ASN1_TIME_print(),
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4089 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g.,
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4090 * "Feb 3 00:55:52 2015 GMT"), and parse the result.
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4091 */
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4092
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4093 bio = BIO_new(BIO_s_mem());
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4094 if (bio == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4095 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4096 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4097
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4098 /* fake weekday prepended to match C asctime() format */
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4099
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4100 BIO_write(bio, "Tue ", sizeof("Tue ") - 1);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4101 ASN1_TIME_print(bio, asn1time);
6842
25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6841
diff changeset
4102 len = BIO_get_mem_data(bio, &value);
25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6841
diff changeset
4103
25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6841
diff changeset
4104 time = ngx_parse_http_time((u_char *) value, len);
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4105
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4106 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4107
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4108 return time;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4109 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4110
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
4111
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4112 static void *
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4113 ngx_openssl_create_conf(ngx_cycle_t *cycle)
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4114 {
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4115 ngx_openssl_conf_t *oscf;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
4116
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4117 oscf = ngx_pcalloc(cycle->pool, sizeof(ngx_openssl_conf_t));
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4118 if (oscf == NULL) {
2912
c7d57b539248 return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents: 2764
diff changeset
4119 return NULL;
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4120 }
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
4121
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4122 /*
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4123 * set by ngx_pcalloc():
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
4124 *
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4125 * oscf->engine = 0;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
4126 */
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4127
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4128 return oscf;
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4129 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4130
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4131
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4132 static char *
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4133 ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4134 {
5777
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
4135 #ifndef OPENSSL_NO_ENGINE
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
4136
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4137 ngx_openssl_conf_t *oscf = conf;
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
4138
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4139 ENGINE *engine;
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4140 ngx_str_t *value;
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4141
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4142 if (oscf->engine) {
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4143 return "is duplicate";
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4144 }
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
4145
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4146 oscf->engine = 1;
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4147
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4148 value = cf->args->elts;
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4149
6552
addd98357629 SSL: style.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6551
diff changeset
4150 engine = ENGINE_by_id((char *) value[1].data);
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4151
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4152 if (engine == NULL) {
6699
9cf2dce316e5 Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents: 6687
diff changeset
4153 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4154 "ENGINE_by_id(\"%V\") failed", &value[1]);
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4155 return NGX_CONF_ERROR;
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4156 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4157
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4158 if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) {
6699
9cf2dce316e5 Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents: 6687
diff changeset
4159 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4160 "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed",
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4161 &value[1]);
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4162
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4163 ENGINE_free(engine);
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4164
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4165 return NGX_CONF_ERROR;
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4166 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4167
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4168 ENGINE_free(engine);
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4169
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4170 return NGX_CONF_OK;
5777
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
4171
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
4172 #else
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
4173
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
4174 return "is not supported";
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
4175
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
4176 #endif
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
4177 }
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
4178
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
4179
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
4180 static void
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
4181 ngx_openssl_exit(ngx_cycle_t *cycle)
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
4182 {
6488
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
4183 #if OPENSSL_VERSION_NUMBER < 0x10100003L
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
4184
3464
7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents: 3457
diff changeset
4185 EVP_cleanup();
5777
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
4186 #ifndef OPENSSL_NO_ENGINE
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
4187 ENGINE_cleanup();
5777
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
4188 #endif
6488
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
4189
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
4190 #endif
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
4191 }