Mercurial > hg > nginx
annotate src/event/ngx_event_openssl.c @ 9136:85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Following OpenSSL 0.9.8f, OpenSSL tries to load application-specific
configuration section first, and then falls back to the "openssl_conf"
default section if application-specific section is not found, by using
CONF_modules_load_file(CONF_MFLAGS_DEFAULT_SECTION). Therefore this
change is not expected to introduce any compatibility issues with existing
configurations. It does, however, make it easier to configure specific
OpenSSL settings for nginx in system-wide OpenSSL configuration
(ticket #2449).
Instead of checking OPENSSL_VERSION_NUMBER when using the OPENSSL_init_ssl()
interface, the code now tests for OPENSSL_INIT_LOAD_CONFIG to be defined and
true, and also explicitly excludes LibreSSL. This ensures that this interface
is not used with BoringSSL and LibreSSL, which do not provide additional
library initialization settings, notably the OPENSSL_INIT_set_config_appname()
call.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 21 Jun 2023 01:29:55 +0300 |
parents | 0af598651e33 |
children | 0ba26c99b3a1 |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
4412 | 4 * Copyright (C) Nginx, Inc. |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
5 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
6 |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
7 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #include <ngx_config.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #include <ngx_core.h> |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
10 #include <ngx_event.h> |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
541 | 12 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
13 #define NGX_SSL_PASSWORD_BUFFER_SIZE 4096 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
14 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
15 |
541 | 16 typedef struct { |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
17 ngx_uint_t engine; /* unsigned engine:1; */ |
541 | 18 } ngx_openssl_conf_t; |
479 | 19 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
20 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
21 static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
22 ngx_str_t *cert, STACK_OF(X509) **chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
23 static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
24 ngx_str_t *key, ngx_array_t *passwords); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
25 static int ngx_ssl_password_callback(char *buf, int size, int rwflag, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
26 void *userdata); |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5081
diff
changeset
|
27 static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
28 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
29 int ret); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
30 static void ngx_ssl_passwords_cleanup(void *data); |
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
31 static int ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
32 ngx_ssl_session_t *sess); |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
33 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
34 static ngx_int_t ngx_ssl_try_early_data(ngx_connection_t *c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
35 #endif |
547 | 36 static void ngx_ssl_handshake_handler(ngx_event_t *ev); |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
37 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
38 static ssize_t ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
39 size_t size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
40 #endif |
489 | 41 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); |
473 | 42 static void ngx_ssl_write_handler(ngx_event_t *wev); |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
43 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
44 static ssize_t ngx_ssl_write_early(ngx_connection_t *c, u_char *data, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
45 size_t size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
46 #endif |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
47 static ssize_t ngx_ssl_sendfile(ngx_connection_t *c, ngx_buf_t *file, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
48 size_t size); |
473 | 49 static void ngx_ssl_read_handler(ngx_event_t *rev); |
577 | 50 static void ngx_ssl_shutdown_handler(ngx_event_t *ev); |
547 | 51 static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, |
52 ngx_err_t err, char *text); | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
53 static void ngx_ssl_clear_error(ngx_log_t *log); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
54 |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
55 static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl, |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
56 ngx_str_t *sess_ctx, ngx_array_t *certificates); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
57 static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
58 ngx_ssl_session_t *sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
59 static ngx_ssl_session_t *ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, |
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
60 #if OPENSSL_VERSION_NUMBER >= 0x10100003L |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
61 const |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
62 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
63 u_char *id, int len, int *copy); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
64 static void ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
65 static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
66 ngx_slab_pool_t *shpool, ngx_uint_t n); |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
67 static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
68 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
69 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
70 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB |
8082
c71e113b57d8
SSL: renamed session ticket key functions and data index.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8081
diff
changeset
|
71 static int ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
72 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
73 HMAC_CTX *hctx, int enc); |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
74 static ngx_int_t ngx_ssl_rotate_ticket_keys(SSL_CTX *ssl_ctx, ngx_log_t *log); |
8082
c71e113b57d8
SSL: renamed session ticket key functions and data index.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8081
diff
changeset
|
75 static void ngx_ssl_ticket_keys_cleanup(void *data); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
76 #endif |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
77 |
6725
9b9ae81cd4f0
SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6699
diff
changeset
|
78 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
79 static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
80 #endif |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
81 |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
82 static time_t ngx_ssl_parse_time( |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
83 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
84 const |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
85 #endif |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
86 ASN1_TIME *asn1time, ngx_log_t *log); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
87 |
541 | 88 static void *ngx_openssl_create_conf(ngx_cycle_t *cycle); |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
89 static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); |
571 | 90 static void ngx_openssl_exit(ngx_cycle_t *cycle); |
541 | 91 |
92 | |
93 static ngx_command_t ngx_openssl_commands[] = { | |
94 | |
95 { ngx_string("ssl_engine"), | |
96 NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1, | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
97 ngx_openssl_engine, |
541 | 98 0, |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
99 0, |
541 | 100 NULL }, |
101 | |
102 ngx_null_command | |
103 }; | |
104 | |
105 | |
106 static ngx_core_module_t ngx_openssl_module_ctx = { | |
107 ngx_string("openssl"), | |
108 ngx_openssl_create_conf, | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
109 NULL |
577 | 110 }; |
541 | 111 |
112 | |
113 ngx_module_t ngx_openssl_module = { | |
114 NGX_MODULE_V1, | |
115 &ngx_openssl_module_ctx, /* module context */ | |
116 ngx_openssl_commands, /* module directives */ | |
117 NGX_CORE_MODULE, /* module type */ | |
118 NULL, /* init master */ | |
119 NULL, /* init module */ | |
120 NULL, /* init process */ | |
121 NULL, /* init thread */ | |
122 NULL, /* exit thread */ | |
123 NULL, /* exit process */ | |
571 | 124 ngx_openssl_exit, /* exit master */ |
541 | 125 NGX_MODULE_V1_PADDING |
547 | 126 }; |
127 | |
128 | |
969 | 129 int ngx_ssl_connection_index; |
130 int ngx_ssl_server_conf_index; | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
131 int ngx_ssl_session_cache_index; |
8082
c71e113b57d8
SSL: renamed session ticket key functions and data index.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8081
diff
changeset
|
132 int ngx_ssl_ticket_keys_index; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
133 int ngx_ssl_ocsp_index; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
134 int ngx_ssl_certificate_index; |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
135 int ngx_ssl_next_certificate_index; |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
136 int ngx_ssl_certificate_name_index; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
137 int ngx_ssl_stapling_index; |
671 | 138 |
139 | |
489 | 140 ngx_int_t |
141 ngx_ssl_init(ngx_log_t *log) | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
142 { |
9136
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
143 #if (OPENSSL_INIT_LOAD_CONFIG && !defined LIBRESSL_VERSION_NUMBER) |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
144 |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
145 OPENSSL_INIT_SETTINGS *init; |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
146 |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
147 init = OPENSSL_INIT_new(); |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
148 if (init == NULL) { |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
149 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_INIT_new() failed"); |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
150 return NGX_ERROR; |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
151 } |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
152 |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
153 #ifndef OPENSSL_NO_STDIO |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
154 if (OPENSSL_INIT_set_config_appname(init, "nginx") == 0) { |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
155 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
156 "OPENSSL_INIT_set_config_appname() failed"); |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
157 return NGX_ERROR; |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
158 } |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
159 #endif |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
160 |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
161 if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, init) == 0) { |
6902
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
162 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed"); |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
163 return NGX_ERROR; |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
164 } |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
165 |
9136
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
166 OPENSSL_INIT_free(init); |
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
167 |
6902
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
168 /* |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
169 * OPENSSL_init_ssl() may leave errors in the error queue |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
170 * while returning success |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
171 */ |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
172 |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
173 ERR_clear_error(); |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
174 |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
175 #else |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
176 |
9136
85abf534cead
SSL: provided "nginx" appname when loading OpenSSL configs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
9085
diff
changeset
|
177 OPENSSL_config("nginx"); |
968 | 178 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
179 SSL_library_init(); |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
180 SSL_load_error_strings(); |
541 | 181 |
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
182 OpenSSL_add_all_algorithms(); |
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
183 |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
184 #endif |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
185 |
4696
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
186 #ifndef SSL_OP_NO_COMPRESSION |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
187 { |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
188 /* |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
189 * Disable gzip compression in OpenSSL prior to 1.0.0 version, |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
190 * this saves about 522K per connection. |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
191 */ |
4867
90bbf2adb2c9
SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4696
diff
changeset
|
192 int n; |
4696
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
193 STACK_OF(SSL_COMP) *ssl_comp_methods; |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
194 |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
195 ssl_comp_methods = SSL_COMP_get_compression_methods(); |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
196 n = sk_SSL_COMP_num(ssl_comp_methods); |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
197 |
4867
90bbf2adb2c9
SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4696
diff
changeset
|
198 while (n--) { |
90bbf2adb2c9
SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4696
diff
changeset
|
199 (void) sk_SSL_COMP_pop(ssl_comp_methods); |
4696
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
200 } |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
201 } |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
202 #endif |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
203 |
969 | 204 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
671 | 205 |
969 | 206 if (ngx_ssl_connection_index == -1) { |
671 | 207 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed"); |
208 return NGX_ERROR; | |
209 } | |
210 | |
969 | 211 ngx_ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
212 NULL); | |
213 if (ngx_ssl_server_conf_index == -1) { | |
214 ngx_ssl_error(NGX_LOG_ALERT, log, 0, | |
215 "SSL_CTX_get_ex_new_index() failed"); | |
216 return NGX_ERROR; | |
217 } | |
218 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
219 ngx_ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
220 NULL); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
221 if (ngx_ssl_session_cache_index == -1) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
222 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
223 "SSL_CTX_get_ex_new_index() failed"); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
224 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
225 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
226 |
8082
c71e113b57d8
SSL: renamed session ticket key functions and data index.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8081
diff
changeset
|
227 ngx_ssl_ticket_keys_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
c71e113b57d8
SSL: renamed session ticket key functions and data index.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8081
diff
changeset
|
228 NULL); |
c71e113b57d8
SSL: renamed session ticket key functions and data index.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8081
diff
changeset
|
229 if (ngx_ssl_ticket_keys_index == -1) { |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
230 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
231 "SSL_CTX_get_ex_new_index() failed"); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
232 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
233 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
234 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
235 ngx_ssl_ocsp_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
236 if (ngx_ssl_ocsp_index == -1) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
237 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
238 "SSL_CTX_get_ex_new_index() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
239 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
240 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
241 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
242 ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
243 NULL); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
244 if (ngx_ssl_certificate_index == -1) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
245 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
246 "SSL_CTX_get_ex_new_index() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
247 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
248 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
249 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
250 ngx_ssl_next_certificate_index = X509_get_ex_new_index(0, NULL, NULL, NULL, |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
251 NULL); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
252 if (ngx_ssl_next_certificate_index == -1) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
253 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
254 return NGX_ERROR; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
255 } |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
256 |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
257 ngx_ssl_certificate_name_index = X509_get_ex_new_index(0, NULL, NULL, NULL, |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
258 NULL); |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
259 |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
260 if (ngx_ssl_certificate_name_index == -1) { |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
261 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
262 return NGX_ERROR; |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
263 } |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
264 |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6490
diff
changeset
|
265 ngx_ssl_stapling_index = X509_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6490
diff
changeset
|
266 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
267 if (ngx_ssl_stapling_index == -1) { |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6490
diff
changeset
|
268 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
269 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
270 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
271 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
272 return NGX_OK; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
273 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
274 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
275 |
489 | 276 ngx_int_t |
969 | 277 ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) |
547 | 278 { |
577 | 279 ssl->ctx = SSL_CTX_new(SSLv23_method()); |
547 | 280 |
281 if (ssl->ctx == NULL) { | |
282 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed"); | |
283 return NGX_ERROR; | |
284 } | |
285 | |
969 | 286 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) { |
287 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
288 "SSL_CTX_set_ex_data() failed"); | |
289 return NGX_ERROR; | |
290 } | |
291 | |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
292 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, NULL) == 0) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
293 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
294 "SSL_CTX_set_ex_data() failed"); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
295 return NGX_ERROR; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
296 } |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
297 |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
298 ssl->buffer_size = NGX_SSL_BUFSIZE; |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
299 |
577 | 300 /* client side options */ |
301 | |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
302 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG |
577 | 303 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
304 #endif |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
305 |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
306 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG |
577 | 307 SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
308 #endif |
577 | 309 |
310 /* server side options */ | |
563 | 311 |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
312 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
563 | 313 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
314 #endif |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
315 |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
316 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
563 | 317 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
318 #endif |
563 | 319 |
5778
45ed2f1f0a6a
SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5777
diff
changeset
|
320 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
563 | 321 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); |
5778
45ed2f1f0a6a
SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5777
diff
changeset
|
322 #endif |
45ed2f1f0a6a
SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5777
diff
changeset
|
323 |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
324 #ifdef SSL_OP_TLS_D5_BUG |
563 | 325 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
326 #endif |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
327 |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
328 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG |
563 | 329 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
330 #endif |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
331 |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
332 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
563 | 333 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
334 #endif |
563 | 335 |
2044 | 336 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); |
547 | 337 |
7318
3443fe40bdc7
SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7317
diff
changeset
|
338 #if OPENSSL_VERSION_NUMBER >= 0x009080dfL |
6034
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
339 /* only in 0.9.8m+ */ |
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
340 SSL_CTX_clear_options(ssl->ctx, |
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
341 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1); |
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
342 #endif |
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
343 |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
344 if (!(protocols & NGX_SSL_SSLv2)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
345 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
346 } |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
347 if (!(protocols & NGX_SSL_SSLv3)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
348 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
349 } |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
350 if (!(protocols & NGX_SSL_TLSv1)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
351 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); |
547 | 352 } |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
353 #ifdef SSL_OP_NO_TLSv1_1 |
6034
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
354 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1); |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
355 if (!(protocols & NGX_SSL_TLSv1_1)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
356 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
357 } |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
358 #endif |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
359 #ifdef SSL_OP_NO_TLSv1_2 |
6034
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
360 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2); |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
361 if (!(protocols & NGX_SSL_TLSv1_2)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
362 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
363 } |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
364 #endif |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
365 #ifdef SSL_OP_NO_TLSv1_3 |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
366 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
367 if (!(protocols & NGX_SSL_TLSv1_3)) { |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
368 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
369 } |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
370 #endif |
547 | 371 |
7372
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
372 #ifdef SSL_CTX_set_min_proto_version |
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
373 SSL_CTX_set_min_proto_version(ssl->ctx, 0); |
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
374 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION); |
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
375 #endif |
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
376 |
7332
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
377 #ifdef TLS1_3_VERSION |
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
378 SSL_CTX_set_min_proto_version(ssl->ctx, 0); |
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
379 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); |
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
380 #endif |
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
381 |
4185
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
382 #ifdef SSL_OP_NO_COMPRESSION |
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
383 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); |
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
384 #endif |
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
385 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
386 #ifdef SSL_OP_NO_ANTI_REPLAY |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
387 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
388 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
389 |
7474
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
390 #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION |
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
391 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION); |
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
392 #endif |
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
393 |
7899
1a03af395f44
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7897
diff
changeset
|
394 #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF |
1a03af395f44
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7897
diff
changeset
|
395 SSL_CTX_set_options(ssl->ctx, SSL_OP_IGNORE_UNEXPECTED_EOF); |
1a03af395f44
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7897
diff
changeset
|
396 #endif |
1a03af395f44
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7897
diff
changeset
|
397 |
4186
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
398 #ifdef SSL_MODE_RELEASE_BUFFERS |
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
399 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); |
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
400 #endif |
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
401 |
6036
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
402 #ifdef SSL_MODE_NO_AUTO_CHAIN |
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
403 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN); |
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
404 #endif |
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
405 |
547 | 406 SSL_CTX_set_read_ahead(ssl->ctx, 1); |
407 | |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
408 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
409 |
547 | 410 return NGX_OK; |
411 } | |
412 | |
413 | |
414 ngx_int_t | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
415 ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
416 ngx_array_t *keys, ngx_array_t *passwords) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
417 { |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
418 ngx_str_t *cert, *key; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
419 ngx_uint_t i; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
420 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
421 cert = certs->elts; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
422 key = keys->elts; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
423 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
424 for (i = 0; i < certs->nelts; i++) { |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
425 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
426 if (ngx_ssl_certificate(cf, ssl, &cert[i], &key[i], passwords) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
427 != NGX_OK) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
428 { |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
429 return NGX_ERROR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
430 } |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
431 } |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
432 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
433 return NGX_OK; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
434 } |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
435 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
436 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
437 ngx_int_t |
563 | 438 ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
439 ngx_str_t *key, ngx_array_t *passwords) |
547 | 440 { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
441 char *err; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
442 X509 *x509; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
443 EVP_PKEY *pkey; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
444 STACK_OF(X509) *chain; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
445 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
446 x509 = ngx_ssl_load_certificate(cf->pool, &err, cert, &chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
447 if (x509 == NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
448 if (err != NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
449 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
450 "cannot load certificate \"%s\": %s", |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
451 cert->data, err); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
452 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
453 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
454 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
455 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
456 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
457 if (SSL_CTX_use_certificate(ssl->ctx, x509) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
458 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
459 "SSL_CTX_use_certificate(\"%s\") failed", cert->data); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
460 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
461 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
462 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
463 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
464 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
465 if (X509_set_ex_data(x509, ngx_ssl_certificate_name_index, cert->data) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
466 == 0) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
467 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
468 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
469 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
470 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
471 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
472 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
473 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
474 if (X509_set_ex_data(x509, ngx_ssl_next_certificate_index, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
475 SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index)) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
476 == 0) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
477 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
478 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
479 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
480 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
481 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
482 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
483 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
484 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, x509) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
485 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
486 "SSL_CTX_set_ex_data() failed"); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
487 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
488 sk_X509_pop_free(chain, X509_free); |
547 | 489 return NGX_ERROR; |
490 } | |
491 | |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
492 /* |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
493 * Note that x509 is not freed here, but will be instead freed in |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
494 * ngx_ssl_cleanup_ctx(). This is because we need to preserve all |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
495 * certificates to be able to iterate all of them through exdata |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
496 * (ngx_ssl_certificate_index, ngx_ssl_next_certificate_index), |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
497 * while OpenSSL can free a certificate if it is replaced with another |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
498 * certificate of the same type. |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
499 */ |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
500 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
501 #ifdef SSL_CTX_set0_chain |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
502 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
503 if (SSL_CTX_set0_chain(ssl->ctx, chain) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
504 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
505 "SSL_CTX_set0_chain(\"%s\") failed", cert->data); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
506 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
507 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
508 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
509 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
510 #else |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
511 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
512 int n; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
513 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
514 /* SSL_CTX_set0_chain() is only available in OpenSSL 1.0.2+ */ |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
515 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
516 n = sk_X509_num(chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
517 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
518 while (n--) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
519 x509 = sk_X509_shift(chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
520 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
521 if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
522 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
523 "SSL_CTX_add_extra_chain_cert(\"%s\") failed", |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
524 cert->data); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
525 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
526 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
527 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
528 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
529 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
530 sk_X509_free(chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
531 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
532 #endif |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
533 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
534 pkey = ngx_ssl_load_certificate_key(cf->pool, &err, key, passwords); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
535 if (pkey == NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
536 if (err != NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
537 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
538 "cannot load certificate key \"%s\": %s", |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
539 key->data, err); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
540 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
541 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
542 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
543 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
544 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
545 if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
546 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
547 "SSL_CTX_use_PrivateKey(\"%s\") failed", key->data); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
548 EVP_PKEY_free(pkey); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
549 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
550 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
551 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
552 EVP_PKEY_free(pkey); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
553 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
554 return NGX_OK; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
555 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
556 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
557 |
7461
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
558 ngx_int_t |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
559 ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
560 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords) |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
561 { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
562 char *err; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
563 X509 *x509; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
564 EVP_PKEY *pkey; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
565 STACK_OF(X509) *chain; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
566 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
567 x509 = ngx_ssl_load_certificate(pool, &err, cert, &chain); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
568 if (x509 == NULL) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
569 if (err != NULL) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
570 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
571 "cannot load certificate \"%s\": %s", |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
572 cert->data, err); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
573 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
574 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
575 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
576 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
577 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
578 if (SSL_use_certificate(c->ssl->connection, x509) == 0) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
579 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
580 "SSL_use_certificate(\"%s\") failed", cert->data); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
581 X509_free(x509); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
582 sk_X509_pop_free(chain, X509_free); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
583 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
584 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
585 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
586 X509_free(x509); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
587 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
588 #ifdef SSL_set0_chain |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
589 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
590 /* |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
591 * SSL_set0_chain() is only available in OpenSSL 1.0.2+, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
592 * but this function is only called via certificate callback, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
593 * which is only available in OpenSSL 1.0.2+ as well |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
594 */ |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
595 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
596 if (SSL_set0_chain(c->ssl->connection, chain) == 0) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
597 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
598 "SSL_set0_chain(\"%s\") failed", cert->data); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
599 sk_X509_pop_free(chain, X509_free); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
600 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
601 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
602 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
603 #endif |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
604 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
605 pkey = ngx_ssl_load_certificate_key(pool, &err, key, passwords); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
606 if (pkey == NULL) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
607 if (err != NULL) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
608 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
609 "cannot load certificate key \"%s\": %s", |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
610 key->data, err); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
611 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
612 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
613 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
614 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
615 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
616 if (SSL_use_PrivateKey(c->ssl->connection, pkey) == 0) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
617 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
618 "SSL_use_PrivateKey(\"%s\") failed", key->data); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
619 EVP_PKEY_free(pkey); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
620 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
621 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
622 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
623 EVP_PKEY_free(pkey); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
624 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
625 return NGX_OK; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
626 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
627 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
628 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
629 static X509 * |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
630 ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
631 STACK_OF(X509) **chain) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
632 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
633 BIO *bio; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
634 X509 *x509, *temp; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
635 u_long n; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
636 |
7477
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
637 if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
638 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
639 bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1, |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
640 cert->len - (sizeof("data:") - 1)); |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
641 if (bio == NULL) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
642 *err = "BIO_new_mem_buf() failed"; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
643 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
644 } |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
645 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
646 } else { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
647 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
648 if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, cert) |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
649 != NGX_OK) |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
650 { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
651 *err = NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
652 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
653 } |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
654 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
655 bio = BIO_new_file((char *) cert->data, "r"); |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
656 if (bio == NULL) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
657 *err = "BIO_new_file() failed"; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
658 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
659 } |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
660 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
661 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
662 /* certificate itself */ |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
663 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
664 x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
665 if (x509 == NULL) { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
666 *err = "PEM_read_bio_X509_AUX() failed"; |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
667 BIO_free(bio); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
668 return NULL; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
669 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
670 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
671 /* rest of the chain */ |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
672 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
673 *chain = sk_X509_new_null(); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
674 if (*chain == NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
675 *err = "sk_X509_new_null() failed"; |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
676 BIO_free(bio); |
5384
cfbf1d1cc233
SSL: fixed possible memory and file descriptor leak on HUP signal.
Piotr Sikora <piotr@cloudflare.com>
parents:
5378
diff
changeset
|
677 X509_free(x509); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
678 return NULL; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
679 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
680 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
681 for ( ;; ) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
682 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
683 temp = PEM_read_bio_X509(bio, NULL, NULL, NULL); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
684 if (temp == NULL) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
685 n = ERR_peek_last_error(); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
686 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
687 if (ERR_GET_LIB(n) == ERR_LIB_PEM |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
688 && ERR_GET_REASON(n) == PEM_R_NO_START_LINE) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
689 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
690 /* end of file */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
691 ERR_clear_error(); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
692 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
693 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
694 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
695 /* some real error */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
696 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
697 *err = "PEM_read_bio_X509() failed"; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
698 BIO_free(bio); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
699 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
700 sk_X509_pop_free(*chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
701 return NULL; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
702 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
703 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
704 if (sk_X509_push(*chain, temp) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
705 *err = "sk_X509_push() failed"; |
6549
d3302eb87a0c
SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6548
diff
changeset
|
706 BIO_free(bio); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
707 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
708 sk_X509_pop_free(*chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
709 return NULL; |
6549
d3302eb87a0c
SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6548
diff
changeset
|
710 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
711 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
712 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
713 BIO_free(bio); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
714 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
715 return x509; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
716 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
717 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
718 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
719 static EVP_PKEY * |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
720 ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
721 ngx_str_t *key, ngx_array_t *passwords) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
722 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
723 BIO *bio; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
724 EVP_PKEY *pkey; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
725 ngx_str_t *pwd; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
726 ngx_uint_t tries; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
727 pem_password_cb *cb; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
728 |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
729 if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) { |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
730 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
731 #ifndef OPENSSL_NO_ENGINE |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
732 |
7476
b6dc8a12c07a
SSL: removed redundant "pkey" variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7474
diff
changeset
|
733 u_char *p, *last; |
b6dc8a12c07a
SSL: removed redundant "pkey" variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7474
diff
changeset
|
734 ENGINE *engine; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
735 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
736 p = key->data + sizeof("engine:") - 1; |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
737 last = (u_char *) ngx_strchr(p, ':'); |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
738 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
739 if (last == NULL) { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
740 *err = "invalid syntax"; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
741 return NULL; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
742 } |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
743 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
744 *last = '\0'; |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
745 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
746 engine = ENGINE_by_id((char *) p); |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
747 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
748 if (engine == NULL) { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
749 *err = "ENGINE_by_id() failed"; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
750 return NULL; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
751 } |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
752 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
753 *last++ = ':'; |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
754 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
755 pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
756 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
757 if (pkey == NULL) { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
758 *err = "ENGINE_load_private_key() failed"; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
759 ENGINE_free(engine); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
760 return NULL; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
761 } |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
762 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
763 ENGINE_free(engine); |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
764 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
765 return pkey; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
766 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
767 #else |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
768 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
769 *err = "loading \"engine:...\" certificate keys is not supported"; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
770 return NULL; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
771 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
772 #endif |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
773 } |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
774 |
7477
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
775 if (ngx_strncmp(key->data, "data:", sizeof("data:") - 1) == 0) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
776 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
777 bio = BIO_new_mem_buf(key->data + sizeof("data:") - 1, |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
778 key->len - (sizeof("data:") - 1)); |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
779 if (bio == NULL) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
780 *err = "BIO_new_mem_buf() failed"; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
781 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
782 } |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
783 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
784 } else { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
785 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
786 if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, key) |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
787 != NGX_OK) |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
788 { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
789 *err = NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
790 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
791 } |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
792 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
793 bio = BIO_new_file((char *) key->data, "r"); |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
794 if (bio == NULL) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
795 *err = "BIO_new_file() failed"; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
796 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
797 } |
563 | 798 } |
799 | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
800 if (passwords) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
801 tries = passwords->nelts; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
802 pwd = passwords->elts; |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
803 cb = ngx_ssl_password_callback; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
804 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
805 } else { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
806 tries = 1; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
807 pwd = NULL; |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
808 cb = NULL; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
809 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
810 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
811 for ( ;; ) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
812 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
813 pkey = PEM_read_bio_PrivateKey(bio, NULL, cb, pwd); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
814 if (pkey != NULL) { |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
815 break; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
816 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
817 |
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
818 if (tries-- > 1) { |
5892
42520df85ebb
SSL: simplified ssl_password_file error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
5882
diff
changeset
|
819 ERR_clear_error(); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
820 (void) BIO_reset(bio); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
821 pwd++; |
5892
42520df85ebb
SSL: simplified ssl_password_file error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
5882
diff
changeset
|
822 continue; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
823 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
824 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
825 *err = "PEM_read_bio_PrivateKey() failed"; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
826 BIO_free(bio); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
827 return NULL; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
828 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
829 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
830 BIO_free(bio); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
831 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
832 return pkey; |
547 | 833 } |
834 | |
835 | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
836 static int |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
837 ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
838 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
839 ngx_str_t *pwd = userdata; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
840 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
841 if (rwflag) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
842 ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
843 "ngx_ssl_password_callback() is called for encryption"); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
844 return 0; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
845 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
846 |
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
847 if (pwd == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
848 return 0; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
849 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
850 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
851 if (pwd->len > (size_t) size) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
852 ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
853 "password is truncated to %d bytes", size); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
854 } else { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
855 size = pwd->len; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
856 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
857 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
858 ngx_memcpy(buf, pwd->data, size); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
859 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
860 return size; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
861 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
862 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
863 |
547 | 864 ngx_int_t |
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
865 ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
866 ngx_uint_t prefer_server_ciphers) |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
867 { |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
868 if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) { |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
869 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
870 "SSL_CTX_set_cipher_list(\"%V\") failed", |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
871 ciphers); |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
872 return NGX_ERROR; |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
873 } |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
874 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
875 if (prefer_server_ciphers) { |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
876 SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
877 } |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
878 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
879 return NGX_OK; |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
880 } |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
881 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
882 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
883 ngx_int_t |
671 | 884 ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
885 ngx_int_t depth) | |
647 | 886 { |
671 | 887 STACK_OF(X509_NAME) *list; |
888 | |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5081
diff
changeset
|
889 SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); |
671 | 890 |
891 SSL_CTX_set_verify_depth(ssl->ctx, depth); | |
892 | |
893 if (cert->len == 0) { | |
894 return NGX_OK; | |
895 } | |
896 | |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
897 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { |
647 | 898 return NGX_ERROR; |
899 } | |
900 | |
901 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) | |
902 == 0) | |
903 { | |
904 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
905 "SSL_CTX_load_verify_locations(\"%s\") failed", | |
906 cert->data); | |
907 return NGX_ERROR; | |
908 } | |
909 | |
5365
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
910 /* |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
911 * SSL_CTX_load_verify_locations() may leave errors in the error queue |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
912 * while returning success |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
913 */ |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
914 |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
915 ERR_clear_error(); |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
916 |
671 | 917 list = SSL_load_client_CA_file((char *) cert->data); |
918 | |
919 if (list == NULL) { | |
920 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
921 "SSL_load_client_CA_file(\"%s\") failed", cert->data); | |
922 return NGX_ERROR; | |
923 } | |
924 | |
925 SSL_CTX_set_client_CA_list(ssl->ctx, list); | |
926 | |
647 | 927 return NGX_OK; |
928 } | |
929 | |
930 | |
2995 | 931 ngx_int_t |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
932 ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
933 ngx_int_t depth) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
934 { |
7672
3dcb1aba894a
SSL: fixed unexpected certificate requests (ticket #2008).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7664
diff
changeset
|
935 SSL_CTX_set_verify(ssl->ctx, SSL_CTX_get_verify_mode(ssl->ctx), |
3dcb1aba894a
SSL: fixed unexpected certificate requests (ticket #2008).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7664
diff
changeset
|
936 ngx_ssl_verify_callback); |
7664
699f6e55bbb4
SSL: added verify callback to ngx_ssl_trusted_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7653
diff
changeset
|
937 |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
938 SSL_CTX_set_verify_depth(ssl->ctx, depth); |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
939 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
940 if (cert->len == 0) { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
941 return NGX_OK; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
942 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
943 |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
944 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
945 return NGX_ERROR; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
946 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
947 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
948 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
949 == 0) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
950 { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
951 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
952 "SSL_CTX_load_verify_locations(\"%s\") failed", |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
953 cert->data); |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
954 return NGX_ERROR; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
955 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
956 |
5365
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
957 /* |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
958 * SSL_CTX_load_verify_locations() may leave errors in the error queue |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
959 * while returning success |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
960 */ |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
961 |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
962 ERR_clear_error(); |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
963 |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
964 return NGX_OK; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
965 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
966 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
967 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
968 ngx_int_t |
2995 | 969 ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl) |
970 { | |
971 X509_STORE *store; | |
972 X509_LOOKUP *lookup; | |
973 | |
974 if (crl->len == 0) { | |
975 return NGX_OK; | |
976 } | |
977 | |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
978 if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) { |
2995 | 979 return NGX_ERROR; |
980 } | |
981 | |
982 store = SSL_CTX_get_cert_store(ssl->ctx); | |
983 | |
984 if (store == NULL) { | |
985 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
986 "SSL_CTX_get_cert_store() failed"); | |
987 return NGX_ERROR; | |
988 } | |
989 | |
990 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); | |
991 | |
992 if (lookup == NULL) { | |
993 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
994 "X509_STORE_add_lookup() failed"); | |
995 return NGX_ERROR; | |
996 } | |
997 | |
998 if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM) | |
999 == 0) | |
1000 { | |
1001 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
1002 "X509_LOOKUP_load_file(\"%s\") failed", crl->data); | |
1003 return NGX_ERROR; | |
1004 } | |
1005 | |
1006 X509_STORE_set_flags(store, | |
1007 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); | |
1008 | |
1009 return NGX_OK; | |
1010 } | |
1011 | |
1012 | |
671 | 1013 static int |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5081
diff
changeset
|
1014 ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) |
671 | 1015 { |
1977
40c9cb8576bb
get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents:
1976
diff
changeset
|
1016 #if (NGX_DEBUG) |
671 | 1017 char *subject, *issuer; |
1018 int err, depth; | |
1019 X509 *cert; | |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1020 X509_NAME *sname, *iname; |
671 | 1021 ngx_connection_t *c; |
1022 ngx_ssl_conn_t *ssl_conn; | |
1023 | |
1024 ssl_conn = X509_STORE_CTX_get_ex_data(x509_store, | |
1025 SSL_get_ex_data_X509_STORE_CTX_idx()); | |
1026 | |
1027 c = ngx_ssl_get_connection(ssl_conn); | |
1028 | |
7781
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
1029 if (!(c->log->log_level & NGX_LOG_DEBUG_EVENT)) { |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
1030 return 1; |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
1031 } |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
1032 |
671 | 1033 cert = X509_STORE_CTX_get_current_cert(x509_store); |
1034 err = X509_STORE_CTX_get_error(x509_store); | |
1035 depth = X509_STORE_CTX_get_error_depth(x509_store); | |
1036 | |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1037 sname = X509_get_subject_name(cert); |
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1038 |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1039 if (sname) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1040 subject = X509_NAME_oneline(sname, NULL, 0); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1041 if (subject == NULL) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1042 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1043 "X509_NAME_oneline() failed"); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1044 } |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1045 |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1046 } else { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1047 subject = NULL; |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1048 } |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1049 |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1050 iname = X509_get_issuer_name(cert); |
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1051 |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1052 if (iname) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1053 issuer = X509_NAME_oneline(iname, NULL, 0); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1054 if (issuer == NULL) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1055 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1056 "X509_NAME_oneline() failed"); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1057 } |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1058 |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1059 } else { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1060 issuer = NULL; |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1061 } |
671 | 1062 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1063 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, |
671 | 1064 "verify:%d, error:%d, depth:%d, " |
5775
294d020bbcfe
SSL: misplaced space in debug message.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5767
diff
changeset
|
1065 "subject:\"%s\", issuer:\"%s\"", |
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1066 ok, err, depth, |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1067 subject ? subject : "(none)", |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1068 issuer ? issuer : "(none)"); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1069 |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1070 if (subject) { |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1071 OPENSSL_free(subject); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1072 } |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1073 |
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1074 if (issuer) { |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1075 OPENSSL_free(issuer); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1076 } |
1977
40c9cb8576bb
get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents:
1976
diff
changeset
|
1077 #endif |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1078 |
671 | 1079 return 1; |
1080 } | |
1081 | |
1082 | |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1083 static void |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1084 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1085 { |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1086 BIO *rbio, *wbio; |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1087 ngx_connection_t *c; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1088 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1089 #ifndef SSL_OP_NO_RENEGOTIATION |
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1090 |
6982
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
1091 if ((where & SSL_CB_HANDSHAKE_START) |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
1092 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn)) |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
1093 { |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1094 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1095 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1096 if (c->ssl->handshaked) { |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1097 c->ssl->renegotiation = 1; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1098 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1099 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1100 } |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1101 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1102 #endif |
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1103 |
8086
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1104 #ifdef TLS1_3_VERSION |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1105 |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1106 if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1107 && SSL_version(ssl_conn) == TLS1_3_VERSION) |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1108 { |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1109 time_t now, time, timeout, conf_timeout; |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1110 SSL_SESSION *sess; |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1111 |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1112 /* |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1113 * OpenSSL with TLSv1.3 updates the session creation time on |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1114 * session resumption and keeps the session timeout unmodified, |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1115 * making it possible to maintain the session forever, bypassing |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1116 * client certificate expiration and revocation. To make sure |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1117 * session timeouts are actually used, we now update the session |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1118 * creation time and reduce the session timeout accordingly. |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1119 * |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1120 * BoringSSL with TLSv1.3 ignores configured session timeouts |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1121 * and uses a hardcoded timeout instead, 7 days. So we update |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1122 * session timeout to the configured value as soon as a session |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1123 * is created. |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1124 */ |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1125 |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1126 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1127 sess = SSL_get0_session(ssl_conn); |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1128 |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1129 if (!c->ssl->session_timeout_set && sess) { |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1130 c->ssl->session_timeout_set = 1; |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1131 |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1132 now = ngx_time(); |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1133 time = SSL_SESSION_get_time(sess); |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1134 timeout = SSL_SESSION_get_timeout(sess); |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1135 conf_timeout = SSL_CTX_get_timeout(c->ssl->session_ctx); |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1136 |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1137 timeout = ngx_min(timeout, conf_timeout); |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1138 |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1139 if (now - time >= timeout) { |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1140 SSL_SESSION_set1_id_context(sess, (unsigned char *) "", 0); |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1141 |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1142 } else { |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1143 SSL_SESSION_set_time(sess, now); |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1144 SSL_SESSION_set_timeout(sess, timeout - (now - time)); |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1145 } |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1146 } |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1147 } |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1148 |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1149 #endif |
496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8085
diff
changeset
|
1150 |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1151 if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1152 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1153 |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1154 if (!c->ssl->handshake_buffer_set) { |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1155 /* |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1156 * By default OpenSSL uses 4k buffer during a handshake, |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1157 * which is too low for long certificate chains and might |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1158 * result in extra round-trips. |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1159 * |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1160 * To adjust a buffer size we detect that buffering was added |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1161 * to write side of the connection by comparing rbio and wbio. |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1162 * If they are different, we assume that it's due to buffering |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1163 * added to wbio, and set buffer size. |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1164 */ |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1165 |
7509
b99cbafd51da
SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7484
diff
changeset
|
1166 rbio = SSL_get_rbio(ssl_conn); |
b99cbafd51da
SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7484
diff
changeset
|
1167 wbio = SSL_get_wbio(ssl_conn); |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1168 |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1169 if (rbio != wbio) { |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1170 (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE); |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1171 c->ssl->handshake_buffer_set = 1; |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1172 } |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1173 } |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1174 } |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1175 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1176 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1177 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1178 ngx_array_t * |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1179 ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1180 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1181 u_char *p, *last, *end; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1182 size_t len; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1183 ssize_t n; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1184 ngx_fd_t fd; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1185 ngx_str_t *pwd; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1186 ngx_array_t *passwords; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1187 ngx_pool_cleanup_t *cln; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1188 u_char buf[NGX_SSL_PASSWORD_BUFFER_SIZE]; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1189 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1190 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1191 return NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1192 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1193 |
7454
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1194 passwords = ngx_array_create(cf->temp_pool, 4, sizeof(ngx_str_t)); |
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1195 if (passwords == NULL) { |
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1196 return NULL; |
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1197 } |
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1198 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1199 cln = ngx_pool_cleanup_add(cf->temp_pool, 0); |
7454
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1200 if (cln == NULL) { |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1201 return NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1202 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1203 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1204 cln->handler = ngx_ssl_passwords_cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1205 cln->data = passwords; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1206 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1207 fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); |
7086 | 1208 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1209 if (fd == NGX_INVALID_FILE) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1210 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1211 ngx_open_file_n " \"%s\" failed", file->data); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1212 return NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1213 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1214 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1215 len = 0; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1216 last = buf; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1217 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1218 do { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1219 n = ngx_read_fd(fd, last, NGX_SSL_PASSWORD_BUFFER_SIZE - len); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1220 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1221 if (n == -1) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1222 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1223 ngx_read_fd_n " \"%s\" failed", file->data); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1224 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1225 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1226 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1227 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1228 end = last + n; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1229 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1230 if (len && n == 0) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1231 *end++ = LF; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1232 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1233 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1234 p = buf; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1235 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1236 for ( ;; ) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1237 last = ngx_strlchr(last, end, LF); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1238 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1239 if (last == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1240 break; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1241 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1242 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1243 len = last++ - p; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1244 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1245 if (len && p[len - 1] == CR) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1246 len--; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1247 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1248 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1249 if (len) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1250 pwd = ngx_array_push(passwords); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1251 if (pwd == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1252 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1253 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1254 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1255 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1256 pwd->len = len; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1257 pwd->data = ngx_pnalloc(cf->temp_pool, len); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1258 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1259 if (pwd->data == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1260 passwords->nelts--; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1261 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1262 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1263 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1264 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1265 ngx_memcpy(pwd->data, p, len); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1266 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1267 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1268 p = last; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1269 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1270 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1271 len = end - p; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1272 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1273 if (len == NGX_SSL_PASSWORD_BUFFER_SIZE) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1274 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1275 "too long line in \"%s\"", file->data); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1276 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1277 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1278 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1279 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1280 ngx_memmove(buf, p, len); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1281 last = buf + len; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1282 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1283 } while (n != 0); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1284 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1285 if (passwords->nelts == 0) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1286 pwd = ngx_array_push(passwords); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1287 if (pwd == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1288 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1289 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1290 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1291 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1292 ngx_memzero(pwd, sizeof(ngx_str_t)); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1293 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1294 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1295 cleanup: |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1296 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1297 if (ngx_close_file(fd) == NGX_FILE_ERROR) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1298 ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1299 ngx_close_file_n " \"%s\" failed", file->data); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1300 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1301 |
7395
9ca82f273967
Core: ngx_explicit_memzero().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7372
diff
changeset
|
1302 ngx_explicit_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1303 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1304 return passwords; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1305 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1306 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1307 |
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1308 ngx_array_t * |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1309 ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords) |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1310 { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1311 ngx_str_t *opwd, *pwd; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1312 ngx_uint_t i; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1313 ngx_array_t *pwds; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1314 ngx_pool_cleanup_t *cln; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1315 static ngx_array_t empty_passwords; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1316 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1317 if (passwords == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1318 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1319 /* |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1320 * If there are no passwords, an empty array is used |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1321 * to make sure OpenSSL's default password callback |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1322 * won't block on reading from stdin. |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1323 */ |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1324 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1325 return &empty_passwords; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1326 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1327 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1328 /* |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1329 * Passwords are normally allocated from the temporary pool |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1330 * and cleared after parsing configuration. To be used at |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1331 * runtime they have to be copied to the configuration pool. |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1332 */ |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1333 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1334 pwds = ngx_array_create(cf->pool, passwords->nelts, sizeof(ngx_str_t)); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1335 if (pwds == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1336 return NULL; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1337 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1338 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1339 cln = ngx_pool_cleanup_add(cf->pool, 0); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1340 if (cln == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1341 return NULL; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1342 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1343 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1344 cln->handler = ngx_ssl_passwords_cleanup; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1345 cln->data = pwds; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1346 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1347 opwd = passwords->elts; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1348 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1349 for (i = 0; i < passwords->nelts; i++) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1350 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1351 pwd = ngx_array_push(pwds); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1352 if (pwd == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1353 return NULL; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1354 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1355 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1356 pwd->len = opwd[i].len; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1357 pwd->data = ngx_pnalloc(cf->pool, pwd->len); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1358 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1359 if (pwd->data == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1360 pwds->nelts--; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1361 return NULL; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1362 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1363 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1364 ngx_memcpy(pwd->data, opwd[i].data, opwd[i].len); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1365 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1366 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1367 return pwds; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1368 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1369 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1370 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1371 static void |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1372 ngx_ssl_passwords_cleanup(void *data) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1373 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1374 ngx_array_t *passwords = data; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1375 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1376 ngx_str_t *pwd; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1377 ngx_uint_t i; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1378 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1379 pwd = passwords->elts; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1380 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1381 for (i = 0; i < passwords->nelts; i++) { |
7395
9ca82f273967
Core: ngx_explicit_memzero().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7372
diff
changeset
|
1382 ngx_explicit_memzero(pwd[i].data, pwd[i].len); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1383 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1384 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1385 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1386 |
547 | 1387 ngx_int_t |
2044 | 1388 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) |
1389 { | |
1390 BIO *bio; | |
1391 | |
1392 if (file->len == 0) { | |
1393 return NGX_OK; | |
1394 } | |
1395 | |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
1396 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
2044 | 1397 return NGX_ERROR; |
1398 } | |
1399 | |
1400 bio = BIO_new_file((char *) file->data, "r"); | |
1401 if (bio == NULL) { | |
1402 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
1403 "BIO_new_file(\"%s\") failed", file->data); | |
1404 return NGX_ERROR; | |
1405 } | |
1406 | |
7896
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1407 #ifdef SSL_CTX_set_tmp_dh |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1408 { |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1409 DH *dh; |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1410 |
2044 | 1411 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); |
1412 if (dh == NULL) { | |
1413 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
1414 "PEM_read_bio_DHparams(\"%s\") failed", file->data); | |
1415 BIO_free(bio); | |
1416 return NGX_ERROR; | |
1417 } | |
1418 | |
7892
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1419 if (SSL_CTX_set_tmp_dh(ssl->ctx, dh) != 1) { |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1420 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1421 "SSL_CTX_set_tmp_dh(\"%s\") failed", file->data); |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1422 DH_free(dh); |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1423 BIO_free(bio); |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1424 return NGX_ERROR; |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1425 } |
2044 | 1426 |
1427 DH_free(dh); | |
7896
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1428 } |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1429 #else |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1430 { |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1431 EVP_PKEY *dh; |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1432 |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1433 /* |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1434 * PEM_read_bio_DHparams() and SSL_CTX_set_tmp_dh() |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1435 * are deprecated in OpenSSL 3.0 |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1436 */ |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1437 |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1438 dh = PEM_read_bio_Parameters(bio, NULL); |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1439 if (dh == NULL) { |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1440 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1441 "PEM_read_bio_Parameters(\"%s\") failed", file->data); |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1442 BIO_free(bio); |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1443 return NGX_ERROR; |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1444 } |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1445 |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1446 if (SSL_CTX_set0_tmp_dh_pkey(ssl->ctx, dh) != 1) { |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1447 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1448 "SSL_CTX_set0_tmp_dh_pkey(\%s\") failed", file->data); |
7994
aeab41dfd260
SSL: free pkey on SSL_CTX_set0_tmp_dh_pkey() failure.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7987
diff
changeset
|
1449 #if (OPENSSL_VERSION_NUMBER >= 0x3000001fL) |
aeab41dfd260
SSL: free pkey on SSL_CTX_set0_tmp_dh_pkey() failure.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7987
diff
changeset
|
1450 EVP_PKEY_free(dh); |
aeab41dfd260
SSL: free pkey on SSL_CTX_set0_tmp_dh_pkey() failure.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7987
diff
changeset
|
1451 #endif |
7896
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1452 BIO_free(bio); |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1453 return NGX_ERROR; |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1454 } |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1455 } |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1456 #endif |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1457 |
2044 | 1458 BIO_free(bio); |
1459 | |
1460 return NGX_OK; | |
1461 } | |
1462 | |
4522 | 1463 |
3960 | 1464 ngx_int_t |
1465 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name) | |
1466 { | |
1467 #ifndef OPENSSL_NO_ECDH | |
1468 | |
1469 /* | |
1470 * Elliptic-Curve Diffie-Hellman parameters are either "named curves" | |
4572
67653855682e
Fixed spelling in multiline C comments.
Ruslan Ermilov <ru@nginx.com>
parents:
4522
diff
changeset
|
1471 * from RFC 4492 section 5.1.1, or explicitly described curves over |
6552 | 1472 * binary fields. OpenSSL only supports the "named curves", which provide |
3960 | 1473 * maximum interoperability. |
1474 */ | |
1475 | |
6983
3518287d995e
SSL: compatibility with OpenSSL master branch.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6982
diff
changeset
|
1476 #if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1477 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1478 /* |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1479 * OpenSSL 1.0.2+ allows configuring a curve list instead of a single |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1480 * curve previously supported. By default an internal list is used, |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1481 * with prime256v1 being preferred by server in OpenSSL 1.0.2b+ |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1482 * and X25519 in OpenSSL 1.1.0+. |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1483 * |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1484 * By default a curve preferred by the client will be used for |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1485 * key exchange. The SSL_OP_CIPHER_SERVER_PREFERENCE option can |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1486 * be used to prefer server curves instead, similar to what it |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1487 * does for ciphers. |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1488 */ |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1489 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1490 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1491 |
8065
0ce2d7a520be
SSL: fixed incorrect usage of #if instead of #ifdef.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8063
diff
changeset
|
1492 #ifdef SSL_CTRL_SET_ECDH_AUTO |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1493 /* not needed in OpenSSL 1.1.0+ */ |
8070
ba5cf8f73a2d
SSL: silenced GCC warnings when building with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8068
diff
changeset
|
1494 (void) SSL_CTX_set_ecdh_auto(ssl->ctx, 1); |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1495 #endif |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1496 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1497 if (ngx_strcmp(name->data, "auto") == 0) { |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1498 return NGX_OK; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1499 } |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1500 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1501 if (SSL_CTX_set1_curves_list(ssl->ctx, (char *) name->data) == 0) { |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1502 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1503 "SSL_CTX_set1_curves_list(\"%s\") failed", name->data); |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1504 return NGX_ERROR; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1505 } |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1506 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1507 #else |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1508 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1509 int nid; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1510 char *curve; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1511 EC_KEY *ecdh; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1512 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1513 if (ngx_strcmp(name->data, "auto") == 0) { |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1514 curve = "prime256v1"; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1515 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1516 } else { |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1517 curve = (char *) name->data; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1518 } |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1519 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1520 nid = OBJ_sn2nid(curve); |
3960 | 1521 if (nid == 0) { |
1522 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1523 "OBJ_sn2nid(\"%s\") failed: unknown curve", curve); |
3960 | 1524 return NGX_ERROR; |
1525 } | |
1526 | |
1527 ecdh = EC_KEY_new_by_curve_name(nid); | |
1528 if (ecdh == NULL) { | |
1529 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1530 "EC_KEY_new_by_curve_name(\"%s\") failed", curve); |
3960 | 1531 return NGX_ERROR; |
1532 } | |
1533 | |
5003
82234f3f5ca2
SSL: speedup loading of configs with many ssl servers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4877
diff
changeset
|
1534 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); |
82234f3f5ca2
SSL: speedup loading of configs with many ssl servers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4877
diff
changeset
|
1535 |
3960 | 1536 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh); |
1537 | |
1538 EC_KEY_free(ecdh); | |
1539 #endif | |
1540 #endif | |
1541 | |
1542 return NGX_OK; | |
1543 } | |
2044 | 1544 |
4522 | 1545 |
2044 | 1546 ngx_int_t |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1547 ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable) |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1548 { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1549 if (!enable) { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1550 return NGX_OK; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1551 } |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1552 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1553 #ifdef SSL_ERROR_EARLY_DATA_REJECTED |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1554 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1555 /* BoringSSL */ |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1556 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1557 SSL_CTX_set_early_data_enabled(ssl->ctx, 1); |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1558 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1559 #elif defined SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1560 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1561 /* OpenSSL */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1562 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1563 SSL_CTX_set_max_early_data(ssl->ctx, NGX_SSL_BUFSIZE); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1564 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1565 #else |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1566 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1567 "\"ssl_early_data\" is not supported on this platform, " |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1568 "ignored"); |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1569 #endif |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1570 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1571 return NGX_OK; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1572 } |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1573 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1574 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1575 ngx_int_t |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1576 ngx_ssl_conf_commands(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *commands) |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1577 { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1578 if (commands == NULL) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1579 return NGX_OK; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1580 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1581 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1582 #ifdef SSL_CONF_FLAG_FILE |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1583 { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1584 int type; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1585 u_char *key, *value; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1586 ngx_uint_t i; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1587 ngx_keyval_t *cmd; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1588 SSL_CONF_CTX *cctx; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1589 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1590 cctx = SSL_CONF_CTX_new(); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1591 if (cctx == NULL) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1592 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1593 "SSL_CONF_CTX_new() failed"); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1594 return NGX_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1595 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1596 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1597 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1598 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1599 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1600 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1601 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1602 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1603 SSL_CONF_CTX_set_ssl_ctx(cctx, ssl->ctx); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1604 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1605 cmd = commands->elts; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1606 for (i = 0; i < commands->nelts; i++) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1607 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1608 key = cmd[i].key.data; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1609 type = SSL_CONF_cmd_value_type(cctx, (char *) key); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1610 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1611 if (type == SSL_CONF_TYPE_FILE || type == SSL_CONF_TYPE_DIR) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1612 if (ngx_conf_full_name(cf->cycle, &cmd[i].value, 1) != NGX_OK) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1613 SSL_CONF_CTX_free(cctx); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1614 return NGX_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1615 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1616 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1617 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1618 value = cmd[i].value.data; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1619 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1620 if (SSL_CONF_cmd(cctx, (char *) key, (char *) value) <= 0) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1621 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1622 "SSL_CONF_cmd(\"%s\", \"%s\") failed", key, value); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1623 SSL_CONF_CTX_free(cctx); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1624 return NGX_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1625 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1626 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1627 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1628 if (SSL_CONF_CTX_finish(cctx) != 1) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1629 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1630 "SSL_CONF_finish() failed"); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1631 SSL_CONF_CTX_free(cctx); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1632 return NGX_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1633 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1634 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1635 SSL_CONF_CTX_free(cctx); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1636 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1637 return NGX_OK; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1638 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1639 #else |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1640 ngx_log_error(NGX_LOG_EMERG, ssl->log, 0, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1641 "SSL_CONF_cmd() is not available on this platform"); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1642 return NGX_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1643 #endif |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1644 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1645 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1646 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1647 ngx_int_t |
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1648 ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable) |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1649 { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1650 if (!enable) { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1651 return NGX_OK; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1652 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1653 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1654 SSL_CTX_set_session_cache_mode(ssl->ctx, |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1655 SSL_SESS_CACHE_CLIENT |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1656 |SSL_SESS_CACHE_NO_INTERNAL); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1657 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1658 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_client_session); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1659 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1660 return NGX_OK; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1661 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1662 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1663 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1664 static int |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1665 ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1666 { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1667 ngx_connection_t *c; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1668 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1669 c = ngx_ssl_get_connection(ssl_conn); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1670 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1671 if (c->ssl->save_session) { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1672 c->ssl->session = sess; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1673 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1674 c->ssl->save_session(c); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1675 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1676 c->ssl->session = NULL; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1677 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1678 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1679 return 0; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1680 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1681 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1682 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1683 ngx_int_t |
547 | 1684 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) |
577 | 1685 { |
547 | 1686 ngx_ssl_connection_t *sc; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1687 |
547 | 1688 sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t)); |
1689 if (sc == NULL) { | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1690 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1691 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1692 |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1693 sc->buffer = ((flags & NGX_SSL_BUFFER) != 0); |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
1694 sc->buffer_size = ssl->buffer_size; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1695 |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
1696 sc->session_ctx = ssl->ctx; |
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
1697 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1698 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1699 if (SSL_CTX_get_max_early_data(ssl->ctx)) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1700 sc->try_early_data = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1701 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1702 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1703 |
547 | 1704 sc->connection = SSL_new(ssl->ctx); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1705 |
547 | 1706 if (sc->connection == NULL) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1707 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_new() failed"); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1708 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1709 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1710 |
547 | 1711 if (SSL_set_fd(sc->connection, c->fd) == 0) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1712 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_fd() failed"); |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1713 return NGX_ERROR; |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1714 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1715 |
577 | 1716 if (flags & NGX_SSL_CLIENT) { |
1717 SSL_set_connect_state(sc->connection); | |
1718 | |
1719 } else { | |
1720 SSL_set_accept_state(sc->connection); | |
7319
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1721 |
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1722 #ifdef SSL_OP_NO_RENEGOTIATION |
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1723 SSL_set_options(sc->connection, SSL_OP_NO_RENEGOTIATION); |
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1724 #endif |
577 | 1725 } |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1726 |
969 | 1727 if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) { |
671 | 1728 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed"); |
1729 return NGX_ERROR; | |
1730 } | |
1731 | |
547 | 1732 c->ssl = sc; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1733 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1734 return NGX_OK; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1735 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1736 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1737 |
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1738 ngx_ssl_session_t * |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1739 ngx_ssl_get_session(ngx_connection_t *c) |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1740 { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1741 #ifdef TLS1_3_VERSION |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1742 if (c->ssl->session) { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1743 SSL_SESSION_up_ref(c->ssl->session); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1744 return c->ssl->session; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1745 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1746 #endif |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1747 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1748 return SSL_get1_session(c->ssl->connection); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1749 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1750 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1751 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1752 ngx_ssl_session_t * |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1753 ngx_ssl_get0_session(ngx_connection_t *c) |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1754 { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1755 if (c->ssl->session) { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1756 return c->ssl->session; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1757 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1758 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1759 return SSL_get0_session(c->ssl->connection); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1760 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1761 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1762 |
547 | 1763 ngx_int_t |
577 | 1764 ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session) |
1765 { | |
1766 if (session) { | |
1767 if (SSL_set_session(c->ssl->connection, session) == 0) { | |
1768 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_session() failed"); | |
1769 return NGX_ERROR; | |
1770 } | |
1771 } | |
1772 | |
1773 return NGX_OK; | |
1774 } | |
1775 | |
1776 | |
1777 ngx_int_t | |
547 | 1778 ngx_ssl_handshake(ngx_connection_t *c) |
1779 { | |
1780 int n, sslerr; | |
1781 ngx_err_t err; | |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1782 ngx_int_t rc; |
547 | 1783 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1784 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1785 if (c->ssl->try_early_data) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1786 return ngx_ssl_try_early_data(c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1787 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1788 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1789 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1790 if (c->ssl->in_ocsp) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1791 return ngx_ssl_ocsp_validate(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1792 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1793 |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1794 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1795 |
547 | 1796 n = SSL_do_handshake(c->ssl->connection); |
1797 | |
577 | 1798 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n); |
547 | 1799 |
1800 if (n == 1) { | |
1801 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1802 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
547 | 1803 return NGX_ERROR; |
1804 } | |
1805 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1806 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
547 | 1807 return NGX_ERROR; |
1808 } | |
1809 | |
1810 #if (NGX_DEBUG) | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1811 ngx_ssl_handshake_log(c); |
547 | 1812 #endif |
1813 | |
1814 c->recv = ngx_ssl_recv; | |
1815 c->send = ngx_ssl_write; | |
577 | 1816 c->recv_chain = ngx_ssl_recv_chain; |
1817 c->send_chain = ngx_ssl_send_chain; | |
547 | 1818 |
7891
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1819 c->read->ready = 1; |
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1820 c->write->ready = 1; |
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1821 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1822 #ifndef SSL_OP_NO_RENEGOTIATION |
6255
b40af2fd1c16
SSL: compatibility with OpenSSL master branch.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6036
diff
changeset
|
1823 #if OPENSSL_VERSION_NUMBER < 0x10100000L |
5946
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1824 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS |
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1825 |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1826 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ |
6995
eb5d119323d8
SSL: allowed renegotiation in client mode with OpenSSL < 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6983
diff
changeset
|
1827 if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) { |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1828 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1829 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1830 |
5946
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1831 #endif |
6255
b40af2fd1c16
SSL: compatibility with OpenSSL master branch.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6036
diff
changeset
|
1832 #endif |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1833 #endif |
5946
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1834 |
8068
0546ab9351c8
Win32: fixed build on Windows with OpenSSL 3.0.x (ticket #2379).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8065
diff
changeset
|
1835 #if (defined BIO_get_ktls_send && !NGX_WIN32) |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1836 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1837 if (BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)) == 1) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1838 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1839 "BIO_get_ktls_send(): 1"); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1840 c->ssl->sendfile = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1841 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1842 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1843 #endif |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1844 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1845 rc = ngx_ssl_ocsp_validate(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1846 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1847 if (rc == NGX_ERROR) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1848 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1849 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1850 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1851 if (rc == NGX_AGAIN) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1852 c->read->handler = ngx_ssl_handshake_handler; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1853 c->write->handler = ngx_ssl_handshake_handler; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1854 return NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1855 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1856 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1857 c->ssl->handshaked = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1858 |
547 | 1859 return NGX_OK; |
1860 } | |
1861 | |
1862 sslerr = SSL_get_error(c->ssl->connection, n); | |
1863 | |
1864 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); | |
1865 | |
1866 if (sslerr == SSL_ERROR_WANT_READ) { | |
1867 c->read->ready = 0; | |
1868 c->read->handler = ngx_ssl_handshake_handler; | |
591 | 1869 c->write->handler = ngx_ssl_handshake_handler; |
547 | 1870 |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1871 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
547 | 1872 return NGX_ERROR; |
1873 } | |
1874 | |
5024
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1875 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1876 return NGX_ERROR; |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1877 } |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1878 |
547 | 1879 return NGX_AGAIN; |
1880 } | |
1881 | |
1882 if (sslerr == SSL_ERROR_WANT_WRITE) { | |
1883 c->write->ready = 0; | |
591 | 1884 c->read->handler = ngx_ssl_handshake_handler; |
547 | 1885 c->write->handler = ngx_ssl_handshake_handler; |
1886 | |
5024
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1887 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1888 return NGX_ERROR; |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1889 } |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1890 |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1891 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
547 | 1892 return NGX_ERROR; |
1893 } | |
1894 | |
1895 return NGX_AGAIN; | |
1896 } | |
1897 | |
1898 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; | |
1899 | |
1900 c->ssl->no_wait_shutdown = 1; | |
1901 c->ssl->no_send_shutdown = 1; | |
591 | 1902 c->read->eof = 1; |
547 | 1903 |
1904 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { | |
5747
57c05ff57980
SSL: logging level of "peer closed connection in SSL handshake".
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
1905 ngx_connection_error(c, err, |
57c05ff57980
SSL: logging level of "peer closed connection in SSL handshake".
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
1906 "peer closed connection in SSL handshake"); |
547 | 1907 |
1908 return NGX_ERROR; | |
1909 } | |
1910 | |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1911 if (c->ssl->handshake_rejected) { |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1912 ngx_connection_error(c, err, "handshake rejected"); |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1913 ERR_clear_error(); |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1914 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1915 return NGX_ERROR; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1916 } |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1917 |
591 | 1918 c->read->error = 1; |
1919 | |
547 | 1920 ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed"); |
1921 | |
1922 return NGX_ERROR; | |
1923 } | |
1924 | |
1925 | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1926 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1927 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1928 static ngx_int_t |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1929 ngx_ssl_try_early_data(ngx_connection_t *c) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1930 { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1931 int n, sslerr; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1932 u_char buf; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1933 size_t readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1934 ngx_err_t err; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1935 ngx_int_t rc; |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1936 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1937 ngx_ssl_clear_error(c->log); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1938 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1939 readbytes = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1940 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1941 n = SSL_read_early_data(c->ssl->connection, &buf, 1, &readbytes); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1942 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1943 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1944 "SSL_read_early_data: %d, %uz", n, readbytes); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1945 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1946 if (n == SSL_READ_EARLY_DATA_FINISH) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1947 c->ssl->try_early_data = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1948 return ngx_ssl_handshake(c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1949 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1950 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1951 if (n == SSL_READ_EARLY_DATA_SUCCESS) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1952 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1953 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1954 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1955 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1956 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1957 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1958 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1959 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1960 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1961 #if (NGX_DEBUG) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1962 ngx_ssl_handshake_log(c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1963 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1964 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1965 c->ssl->try_early_data = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1966 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1967 c->ssl->early_buf = buf; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1968 c->ssl->early_preread = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1969 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1970 c->ssl->in_early = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1971 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1972 c->recv = ngx_ssl_recv; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1973 c->send = ngx_ssl_write; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1974 c->recv_chain = ngx_ssl_recv_chain; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1975 c->send_chain = ngx_ssl_send_chain; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1976 |
7891
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1977 c->read->ready = 1; |
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1978 c->write->ready = 1; |
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1979 |
8068
0546ab9351c8
Win32: fixed build on Windows with OpenSSL 3.0.x (ticket #2379).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8065
diff
changeset
|
1980 #if (defined BIO_get_ktls_send && !NGX_WIN32) |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1981 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1982 if (BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)) == 1) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1983 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1984 "BIO_get_ktls_send(): 1"); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1985 c->ssl->sendfile = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1986 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1987 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1988 #endif |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1989 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1990 rc = ngx_ssl_ocsp_validate(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1991 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1992 if (rc == NGX_ERROR) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1993 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1994 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1995 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1996 if (rc == NGX_AGAIN) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1997 c->read->handler = ngx_ssl_handshake_handler; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1998 c->write->handler = ngx_ssl_handshake_handler; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1999 return NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
2000 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
2001 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
2002 c->ssl->handshaked = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
2003 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2004 return NGX_OK; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2005 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2006 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2007 /* SSL_READ_EARLY_DATA_ERROR */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2008 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2009 sslerr = SSL_get_error(c->ssl->connection, n); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2010 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2011 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2012 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2013 if (sslerr == SSL_ERROR_WANT_READ) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2014 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2015 c->read->handler = ngx_ssl_handshake_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2016 c->write->handler = ngx_ssl_handshake_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2017 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2018 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2019 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2020 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2021 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2022 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2023 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2024 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2025 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2026 return NGX_AGAIN; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2027 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2028 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2029 if (sslerr == SSL_ERROR_WANT_WRITE) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2030 c->write->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2031 c->read->handler = ngx_ssl_handshake_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2032 c->write->handler = ngx_ssl_handshake_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2033 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2034 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2035 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2036 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2037 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2038 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2039 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2040 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2041 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2042 return NGX_AGAIN; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2043 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2044 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2045 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2046 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2047 c->ssl->no_wait_shutdown = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2048 c->ssl->no_send_shutdown = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2049 c->read->eof = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2050 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2051 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2052 ngx_connection_error(c, err, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2053 "peer closed connection in SSL handshake"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2054 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2055 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2056 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2057 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2058 c->read->error = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2059 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2060 ngx_ssl_connection_error(c, sslerr, err, "SSL_read_early_data() failed"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2061 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2062 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2063 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2064 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2065 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2066 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2067 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2068 #if (NGX_DEBUG) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2069 |
9078
0f4f781e57c1
QUIC: using ngx_ssl_handshake_log().
Sergey Kandaurov <pluknet@nginx.com>
parents:
9060
diff
changeset
|
2070 void |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2071 ngx_ssl_handshake_log(ngx_connection_t *c) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2072 { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2073 char buf[129], *s, *d; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2074 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2075 const |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2076 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2077 SSL_CIPHER *cipher; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2078 |
7781
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
2079 if (!(c->log->log_level & NGX_LOG_DEBUG_EVENT)) { |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
2080 return; |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
2081 } |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
2082 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2083 cipher = SSL_get_current_cipher(c->ssl->connection); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2084 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2085 if (cipher) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2086 SSL_CIPHER_description(cipher, &buf[1], 128); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2087 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2088 for (s = &buf[1], d = buf; *s; s++) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2089 if (*s == ' ' && *d == ' ') { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2090 continue; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2091 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2092 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2093 if (*s == LF || *s == CR) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2094 continue; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2095 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2096 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2097 *++d = *s; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2098 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2099 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2100 if (*d != ' ') { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2101 d++; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2102 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2103 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2104 *d = '\0'; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2105 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2106 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2107 "SSL: %s, cipher: \"%s\"", |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2108 SSL_get_version(c->ssl->connection), &buf[1]); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2109 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2110 if (SSL_session_reused(c->ssl->connection)) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2111 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2112 "SSL reused session"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2113 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2114 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2115 } else { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2116 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2117 "SSL no shared ciphers"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2118 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2119 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2120 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2121 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2122 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2123 |
547 | 2124 static void |
2125 ngx_ssl_handshake_handler(ngx_event_t *ev) | |
2126 { | |
2127 ngx_connection_t *c; | |
2128 | |
2129 c = ev->data; | |
2130 | |
549 | 2131 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
577 | 2132 "SSL handshake handler: %d", ev->write); |
547 | 2133 |
591 | 2134 if (ev->timedout) { |
2135 c->ssl->handler(c); | |
2136 return; | |
2137 } | |
2138 | |
547 | 2139 if (ngx_ssl_handshake(c) == NGX_AGAIN) { |
2140 return; | |
2141 } | |
2142 | |
2143 c->ssl->handler(c); | |
2144 } | |
2145 | |
2146 | |
489 | 2147 ssize_t |
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2148 ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit) |
577 | 2149 { |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2150 u_char *last; |
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2151 ssize_t n, bytes, size; |
577 | 2152 ngx_buf_t *b; |
2153 | |
2154 bytes = 0; | |
2155 | |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2156 b = cl->buf; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2157 last = b->last; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2158 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2159 for ( ;; ) { |
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2160 size = b->end - last; |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2161 |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2162 if (limit) { |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2163 if (bytes >= limit) { |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2164 return bytes; |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2165 } |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2166 |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2167 if (bytes + size > limit) { |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2168 size = (ssize_t) (limit - bytes); |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2169 } |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2170 } |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2171 |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2172 n = ngx_ssl_recv(c, last, size); |
577 | 2173 |
2174 if (n > 0) { | |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2175 last += n; |
577 | 2176 bytes += n; |
2177 | |
7582
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
2178 if (!c->read->ready) { |
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
2179 return bytes; |
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
2180 } |
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
2181 |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2182 if (last == b->end) { |
577 | 2183 cl = cl->next; |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2184 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2185 if (cl == NULL) { |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2186 return bytes; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2187 } |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2188 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2189 b = cl->buf; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2190 last = b->last; |
577 | 2191 } |
2192 | |
2193 continue; | |
2194 } | |
2195 | |
2196 if (bytes) { | |
2052
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2197 |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2198 if (n == 0 || n == NGX_ERROR) { |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2199 c->read->ready = 1; |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2200 } |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2201 |
577 | 2202 return bytes; |
2203 } | |
2204 | |
2205 return n; | |
2206 } | |
2207 } | |
2208 | |
2209 | |
2210 ssize_t | |
489 | 2211 ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size) |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2212 { |
489 | 2213 int n, bytes; |
2214 | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2215 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2216 if (c->ssl->in_early) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2217 return ngx_ssl_recv_early(c, buf, size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2218 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2219 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2220 |
489 | 2221 if (c->ssl->last == NGX_ERROR) { |
8110
06c7d84cafdb
SSL: fixed ngx_ssl_recv() to reset c->read->ready after errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8107
diff
changeset
|
2222 c->read->ready = 0; |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2223 c->read->error = 1; |
489 | 2224 return NGX_ERROR; |
2225 } | |
2226 | |
577 | 2227 if (c->ssl->last == NGX_DONE) { |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2228 c->read->ready = 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2229 c->read->eof = 1; |
577 | 2230 return 0; |
2231 } | |
2232 | |
489 | 2233 bytes = 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2234 |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2235 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2236 |
489 | 2237 /* |
2238 * SSL_read() may return data in parts, so try to read | |
2239 * until SSL_read() would return no data | |
2240 */ | |
2241 | |
2242 for ( ;; ) { | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2243 |
543 | 2244 n = SSL_read(c->ssl->connection, buf, size); |
489 | 2245 |
577 | 2246 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2247 |
489 | 2248 if (n > 0) { |
2249 bytes += n; | |
2250 } | |
2251 | |
2252 c->ssl->last = ngx_ssl_handle_recv(c, n); | |
2253 | |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2254 if (c->ssl->last == NGX_OK) { |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2255 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2256 size -= n; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2257 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2258 if (size == 0) { |
5450
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2259 c->read->ready = 1; |
7584
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2260 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2261 if (c->read->available >= 0) { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2262 c->read->available -= bytes; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2263 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2264 /* |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2265 * there can be data buffered at SSL layer, |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2266 * so we post an event to continue reading on the next |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2267 * iteration of the event loop |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2268 */ |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2269 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2270 if (c->read->available < 0) { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2271 c->read->available = 0; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2272 c->read->ready = 0; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2273 |
7617
f1720934c45b
SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7612
diff
changeset
|
2274 if (c->read->posted) { |
f1720934c45b
SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7612
diff
changeset
|
2275 ngx_delete_posted_event(c->read); |
f1720934c45b
SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7612
diff
changeset
|
2276 } |
f1720934c45b
SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7612
diff
changeset
|
2277 |
7584
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2278 ngx_post_event(c->read, &ngx_posted_next_events); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2279 } |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2280 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2281 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2282 "SSL_read: avail:%d", c->read->available); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2283 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2284 } else { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2285 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2286 #if (NGX_HAVE_FIONREAD) |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2287 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2288 if (ngx_socket_nread(c->fd, &c->read->available) == -1) { |
8110
06c7d84cafdb
SSL: fixed ngx_ssl_recv() to reset c->read->ready after errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8107
diff
changeset
|
2289 c->read->ready = 0; |
7584
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2290 c->read->error = 1; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2291 ngx_connection_error(c, ngx_socket_errno, |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2292 ngx_socket_nread_n " failed"); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2293 return NGX_ERROR; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2294 } |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2295 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2296 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2297 "SSL_read: avail:%d", c->read->available); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2298 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2299 #endif |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2300 } |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2301 |
489 | 2302 return bytes; |
577 | 2303 } |
489 | 2304 |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2305 buf += n; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2306 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2307 continue; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2308 } |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2309 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2310 if (bytes) { |
5450
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2311 if (c->ssl->last != NGX_AGAIN) { |
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2312 c->read->ready = 1; |
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2313 } |
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2314 |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2315 return bytes; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2316 } |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2317 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2318 switch (c->ssl->last) { |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2319 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2320 case NGX_DONE: |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2321 c->read->ready = 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2322 c->read->eof = 1; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2323 return 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2324 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2325 case NGX_ERROR: |
8110
06c7d84cafdb
SSL: fixed ngx_ssl_recv() to reset c->read->ready after errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8107
diff
changeset
|
2326 c->read->ready = 0; |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2327 c->read->error = 1; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2328 |
4499
778ef9c3fd2d
Fixed spelling in single-line comments.
Ruslan Ermilov <ru@nginx.com>
parents:
4497
diff
changeset
|
2329 /* fall through */ |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2330 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2331 case NGX_AGAIN: |
577 | 2332 return c->ssl->last; |
479 | 2333 } |
489 | 2334 } |
2335 } | |
2336 | |
2337 | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2338 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2339 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2340 static ssize_t |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2341 ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf, size_t size) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2342 { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2343 int n, bytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2344 size_t readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2345 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2346 if (c->ssl->last == NGX_ERROR) { |
8110
06c7d84cafdb
SSL: fixed ngx_ssl_recv() to reset c->read->ready after errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8107
diff
changeset
|
2347 c->read->ready = 0; |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2348 c->read->error = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2349 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2350 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2351 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2352 if (c->ssl->last == NGX_DONE) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2353 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2354 c->read->eof = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2355 return 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2356 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2357 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2358 bytes = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2359 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2360 ngx_ssl_clear_error(c->log); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2361 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2362 if (c->ssl->early_preread) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2363 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2364 if (size == 0) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2365 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2366 c->read->eof = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2367 return 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2368 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2369 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2370 *buf = c->ssl->early_buf; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2371 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2372 c->ssl->early_preread = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2373 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2374 bytes = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2375 size -= 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2376 buf += 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2377 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2378 |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2379 if (c->ssl->write_blocked) { |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2380 return NGX_AGAIN; |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2381 } |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2382 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2383 /* |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2384 * SSL_read_early_data() may return data in parts, so try to read |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2385 * until SSL_read_early_data() would return no data |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2386 */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2387 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2388 for ( ;; ) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2389 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2390 readbytes = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2391 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2392 n = SSL_read_early_data(c->ssl->connection, buf, size, &readbytes); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2393 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2394 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2395 "SSL_read_early_data: %d, %uz", n, readbytes); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2396 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2397 if (n == SSL_READ_EARLY_DATA_SUCCESS) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2398 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2399 c->ssl->last = ngx_ssl_handle_recv(c, 1); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2400 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2401 bytes += readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2402 size -= readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2403 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2404 if (size == 0) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2405 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2406 return bytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2407 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2408 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2409 buf += readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2410 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2411 continue; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2412 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2413 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2414 if (n == SSL_READ_EARLY_DATA_FINISH) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2415 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2416 c->ssl->last = ngx_ssl_handle_recv(c, 1); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2417 c->ssl->in_early = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2418 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2419 if (bytes) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2420 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2421 return bytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2422 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2423 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2424 return ngx_ssl_recv(c, buf, size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2425 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2426 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2427 /* SSL_READ_EARLY_DATA_ERROR */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2428 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2429 c->ssl->last = ngx_ssl_handle_recv(c, 0); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2430 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2431 if (bytes) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2432 if (c->ssl->last != NGX_AGAIN) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2433 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2434 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2435 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2436 return bytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2437 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2438 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2439 switch (c->ssl->last) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2440 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2441 case NGX_DONE: |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2442 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2443 c->read->eof = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2444 return 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2445 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2446 case NGX_ERROR: |
8110
06c7d84cafdb
SSL: fixed ngx_ssl_recv() to reset c->read->ready after errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8107
diff
changeset
|
2447 c->read->ready = 0; |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2448 c->read->error = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2449 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2450 /* fall through */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2451 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2452 case NGX_AGAIN: |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2453 return c->ssl->last; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2454 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2455 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2456 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2457 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2458 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2459 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2460 |
489 | 2461 static ngx_int_t |
2462 ngx_ssl_handle_recv(ngx_connection_t *c, int n) | |
2463 { | |
547 | 2464 int sslerr; |
2465 ngx_err_t err; | |
489 | 2466 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2467 #ifndef SSL_OP_NO_RENEGOTIATION |
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2468 |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2469 if (c->ssl->renegotiation) { |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2470 /* |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2471 * disable renegotiation (CVE-2009-3555): |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2472 * OpenSSL (at least up to 0.9.8l) does not handle disabled |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2473 * renegotiation gracefully, so drop connection here |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2474 */ |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2475 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2476 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled"); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2477 |
4236
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2478 while (ERR_peek_error()) { |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2479 ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0, |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2480 "ignoring stale global SSL error"); |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2481 } |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2482 |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2483 ERR_clear_error(); |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2484 |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2485 c->ssl->no_wait_shutdown = 1; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2486 c->ssl->no_send_shutdown = 1; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2487 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2488 return NGX_ERROR; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2489 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2490 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2491 #endif |
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2492 |
489 | 2493 if (n > 0) { |
479 | 2494 |
473 | 2495 if (c->ssl->saved_write_handler) { |
2496 | |
509 | 2497 c->write->handler = c->ssl->saved_write_handler; |
473 | 2498 c->ssl->saved_write_handler = NULL; |
2499 c->write->ready = 1; | |
2500 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2501 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
473 | 2502 return NGX_ERROR; |
2503 } | |
2504 | |
563 | 2505 ngx_post_event(c->write, &ngx_posted_events); |
473 | 2506 } |
2507 | |
489 | 2508 return NGX_OK; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2509 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2510 |
543 | 2511 sslerr = SSL_get_error(c->ssl->connection, n); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2512 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2513 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2514 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2515 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2516 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2517 if (sslerr == SSL_ERROR_WANT_READ) { |
7353
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2518 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2519 if (c->ssl->saved_write_handler) { |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2520 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2521 c->write->handler = c->ssl->saved_write_handler; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2522 c->ssl->saved_write_handler = NULL; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2523 c->write->ready = 1; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2524 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2525 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2526 return NGX_ERROR; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2527 } |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2528 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2529 ngx_post_event(c->write, &ngx_posted_events); |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2530 } |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2531 |
455 | 2532 c->read->ready = 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2533 return NGX_AGAIN; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2534 } |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2535 |
445
f26432a1935a
nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents:
444
diff
changeset
|
2536 if (sslerr == SSL_ERROR_WANT_WRITE) { |
539 | 2537 |
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2538 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2539 "SSL_read: want write"); |
473 | 2540 |
2541 c->write->ready = 0; | |
2542 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2543 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
473 | 2544 return NGX_ERROR; |
2545 } | |
2546 | |
2547 /* | |
2548 * we do not set the timer because there is already the read event timer | |
2549 */ | |
2550 | |
2551 if (c->ssl->saved_write_handler == NULL) { | |
509 | 2552 c->ssl->saved_write_handler = c->write->handler; |
2553 c->write->handler = ngx_ssl_write_handler; | |
473 | 2554 } |
2555 | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2556 return NGX_AGAIN; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2557 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2558 |
547 | 2559 c->ssl->no_wait_shutdown = 1; |
2560 c->ssl->no_send_shutdown = 1; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2561 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2562 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { |
577 | 2563 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
2564 "peer shutdown SSL cleanly"); | |
2565 return NGX_DONE; | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2566 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2567 |
547 | 2568 ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed"); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2569 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2570 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2571 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2572 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2573 |
489 | 2574 static void |
2575 ngx_ssl_write_handler(ngx_event_t *wev) | |
473 | 2576 { |
2577 ngx_connection_t *c; | |
2578 | |
2579 c = wev->data; | |
547 | 2580 |
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2581 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL write handler"); |
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2582 |
509 | 2583 c->read->handler(c->read); |
473 | 2584 } |
2585 | |
2586 | |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2587 /* |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2588 * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer |
473 | 2589 * before the SSL_write() call to decrease a SSL overhead. |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2590 * |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2591 * Besides for protocols such as HTTP it is possible to always buffer |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2592 * the output to decrease a SSL overhead some more. |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2593 */ |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2594 |
489 | 2595 ngx_chain_t * |
2596 ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2597 { |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2598 int n; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2599 ngx_uint_t flush; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2600 ssize_t send, size, file_size; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2601 ngx_buf_t *buf; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2602 ngx_chain_t *cl; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2603 |
2280
6453161bf53e
always use buffer, if connection is buffered,
Igor Sysoev <igor@sysoev.ru>
parents:
2165
diff
changeset
|
2604 if (!c->ssl->buffer) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2605 |
577 | 2606 while (in) { |
2607 if (ngx_buf_special(in->buf)) { | |
2608 in = in->next; | |
2609 continue; | |
2610 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2611 |
577 | 2612 n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos); |
2613 | |
2614 if (n == NGX_ERROR) { | |
2615 return NGX_CHAIN_ERROR; | |
2616 } | |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2617 |
577 | 2618 if (n == NGX_AGAIN) { |
2619 return in; | |
2620 } | |
2621 | |
2622 in->buf->pos += n; | |
2623 | |
2624 if (in->buf->pos == in->buf->last) { | |
2625 in = in->next; | |
2626 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2627 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2628 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2629 return in; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2630 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2631 |
473 | 2632 |
3962
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2633 /* the maximum limit size is the maximum int32_t value - the page size */ |
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2634 |
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2635 if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) { |
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2636 limit = NGX_MAX_INT32_VALUE - ngx_pagesize; |
473 | 2637 } |
2638 | |
577 | 2639 buf = c->ssl->buf; |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2640 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2641 if (buf == NULL) { |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
2642 buf = ngx_create_temp_buf(c->pool, c->ssl->buffer_size); |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2643 if (buf == NULL) { |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2644 return NGX_CHAIN_ERROR; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2645 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2646 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2647 c->ssl->buf = buf; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2648 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2649 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2650 if (buf->start == NULL) { |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
2651 buf->start = ngx_palloc(c->pool, c->ssl->buffer_size); |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2652 if (buf->start == NULL) { |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2653 return NGX_CHAIN_ERROR; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2654 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2655 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2656 buf->pos = buf->start; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2657 buf->last = buf->start; |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
2658 buf->end = buf->start + c->ssl->buffer_size; |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2659 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2660 |
5023
70a35b7b63ea
SSL: take into account data in the buffer while limiting output.
Valentin Bartenev <vbart@nginx.com>
parents:
5022
diff
changeset
|
2661 send = buf->last - buf->pos; |
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2662 flush = (in == NULL) ? 1 : buf->flush; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2663 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2664 for ( ;; ) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2665 |
3283
52b1624b93c2
fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents:
3159
diff
changeset
|
2666 while (in && buf->last < buf->end && send < limit) { |
583 | 2667 if (in->buf->last_buf || in->buf->flush) { |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2668 flush = 1; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2669 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2670 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2671 if (ngx_buf_special(in->buf)) { |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2672 in = in->next; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2673 continue; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2674 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2675 |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2676 if (in->buf->in_file && c->ssl->sendfile) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2677 flush = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2678 break; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2679 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2680 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2681 size = in->buf->last - in->buf->pos; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2682 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2683 if (size > buf->end - buf->last) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2684 size = buf->end - buf->last; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2685 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2686 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2687 if (send + size > limit) { |
577 | 2688 size = (ssize_t) (limit - send); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2689 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2690 |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2691 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
6480 | 2692 "SSL buf copy: %z", size); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2693 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2694 ngx_memcpy(buf->last, in->buf->pos, size); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2695 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2696 buf->last += size; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2697 in->buf->pos += size; |
3283
52b1624b93c2
fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents:
3159
diff
changeset
|
2698 send += size; |
577 | 2699 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2700 if (in->buf->pos == in->buf->last) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2701 in = in->next; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2702 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2703 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2704 |
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2705 if (!flush && send < limit && buf->last < buf->end) { |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2706 break; |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2707 } |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2708 |
5021
674f8739e443
SSL: calculation of buffer size moved closer to its usage.
Valentin Bartenev <vbart@nginx.com>
parents:
5020
diff
changeset
|
2709 size = buf->last - buf->pos; |
674f8739e443
SSL: calculation of buffer size moved closer to its usage.
Valentin Bartenev <vbart@nginx.com>
parents:
5020
diff
changeset
|
2710 |
5022
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2711 if (size == 0) { |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2712 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2713 if (in && in->buf->in_file && send < limit) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2714 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2715 /* coalesce the neighbouring file bufs */ |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2716 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2717 cl = in; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2718 file_size = (size_t) ngx_chain_coalesce_file(&cl, limit - send); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2719 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2720 n = ngx_ssl_sendfile(c, in->buf, file_size); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2721 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2722 if (n == NGX_ERROR) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2723 return NGX_CHAIN_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2724 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2725 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2726 if (n == NGX_AGAIN) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2727 break; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2728 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2729 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2730 in = ngx_chain_update_sent(in, n); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2731 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2732 send += n; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2733 flush = 0; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2734 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2735 continue; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2736 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2737 |
5022
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2738 buf->flush = 0; |
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2739 c->buffered &= ~NGX_SSL_BUFFERED; |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2740 |
5022
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2741 return in; |
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2742 } |
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2743 |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2744 n = ngx_ssl_write(c, buf->pos, size); |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2745 |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2746 if (n == NGX_ERROR) { |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2747 return NGX_CHAIN_ERROR; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2748 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2749 |
511 | 2750 if (n == NGX_AGAIN) { |
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2751 break; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2752 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2753 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2754 buf->pos += n; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2755 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2756 if (n < size) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2757 break; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2758 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2759 |
5019
69693a098655
SSL: resetting of flush flag after the data was written.
Valentin Bartenev <vbart@nginx.com>
parents:
5018
diff
changeset
|
2760 flush = 0; |
69693a098655
SSL: resetting of flush flag after the data was written.
Valentin Bartenev <vbart@nginx.com>
parents:
5018
diff
changeset
|
2761 |
5018
0ea36741bb35
SSL: removed conditions that always hold true.
Valentin Bartenev <vbart@nginx.com>
parents:
5003
diff
changeset
|
2762 buf->pos = buf->start; |
0ea36741bb35
SSL: removed conditions that always hold true.
Valentin Bartenev <vbart@nginx.com>
parents:
5003
diff
changeset
|
2763 buf->last = buf->start; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2764 |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2765 if (in == NULL || send >= limit) { |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2766 break; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2767 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2768 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2769 |
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2770 buf->flush = flush; |
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2771 |
597 | 2772 if (buf->pos < buf->last) { |
2773 c->buffered |= NGX_SSL_BUFFERED; | |
2774 | |
2775 } else { | |
2776 c->buffered &= ~NGX_SSL_BUFFERED; | |
2777 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2778 |
399
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
398
diff
changeset
|
2779 return in; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2780 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2781 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2782 |
539 | 2783 ssize_t |
489 | 2784 ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2785 { |
547 | 2786 int n, sslerr; |
2787 ngx_err_t err; | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2788 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2789 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2790 if (c->ssl->in_early) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2791 return ngx_ssl_write_early(c, data, size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2792 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2793 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2794 |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2795 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2796 |
6480 | 2797 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2798 |
543 | 2799 n = SSL_write(c->ssl->connection, data, size); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2800 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2801 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n); |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2802 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2803 if (n > 0) { |
539 | 2804 |
473 | 2805 if (c->ssl->saved_read_handler) { |
2806 | |
509 | 2807 c->read->handler = c->ssl->saved_read_handler; |
473 | 2808 c->ssl->saved_read_handler = NULL; |
2809 c->read->ready = 1; | |
2810 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2811 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
473 | 2812 return NGX_ERROR; |
2813 } | |
2814 | |
563 | 2815 ngx_post_event(c->read, &ngx_posted_events); |
473 | 2816 } |
2817 | |
5986
c2f309fb7ad2
SSL: account sent bytes in ngx_ssl_write().
Ruslan Ermilov <ru@nginx.com>
parents:
5946
diff
changeset
|
2818 c->sent += n; |
c2f309fb7ad2
SSL: account sent bytes in ngx_ssl_write().
Ruslan Ermilov <ru@nginx.com>
parents:
5946
diff
changeset
|
2819 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2820 return n; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2821 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2822 |
543 | 2823 sslerr = SSL_get_error(c->ssl->connection, n); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2824 |
7706
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2825 if (sslerr == SSL_ERROR_ZERO_RETURN) { |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2826 |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2827 /* |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2828 * OpenSSL 1.1.1 fails to return SSL_ERROR_SYSCALL if an error |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2829 * happens during SSL_write() after close_notify alert from the |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2830 * peer, and returns SSL_ERROR_ZERO_RETURN instead, |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2831 * https://git.openssl.org/?p=openssl.git;a=commitdiff;h=8051ab2 |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2832 */ |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2833 |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2834 sslerr = SSL_ERROR_SYSCALL; |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2835 } |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2836 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2837 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2838 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2839 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2840 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2841 if (sslerr == SSL_ERROR_WANT_WRITE) { |
7353
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2842 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2843 if (c->ssl->saved_read_handler) { |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2844 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2845 c->read->handler = c->ssl->saved_read_handler; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2846 c->ssl->saved_read_handler = NULL; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2847 c->read->ready = 1; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2848 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2849 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2850 return NGX_ERROR; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2851 } |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2852 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2853 ngx_post_event(c->read, &ngx_posted_events); |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2854 } |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2855 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2856 c->write->ready = 0; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2857 return NGX_AGAIN; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2858 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2859 |
445
f26432a1935a
nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents:
444
diff
changeset
|
2860 if (sslerr == SSL_ERROR_WANT_READ) { |
452 | 2861 |
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2862 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2863 "SSL_write: want read"); |
473 | 2864 |
2865 c->read->ready = 0; | |
2866 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2867 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
473 | 2868 return NGX_ERROR; |
2869 } | |
2870 | |
2871 /* | |
2872 * we do not set the timer because there is already | |
2873 * the write event timer | |
2874 */ | |
2875 | |
2876 if (c->ssl->saved_read_handler == NULL) { | |
509 | 2877 c->ssl->saved_read_handler = c->read->handler; |
2878 c->read->handler = ngx_ssl_read_handler; | |
473 | 2879 } |
2880 | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2881 return NGX_AGAIN; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2882 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2883 |
547 | 2884 c->ssl->no_wait_shutdown = 1; |
2885 c->ssl->no_send_shutdown = 1; | |
591 | 2886 c->write->error = 1; |
543 | 2887 |
547 | 2888 ngx_ssl_connection_error(c, sslerr, err, "SSL_write() failed"); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2889 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2890 return NGX_ERROR; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2891 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2892 |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2893 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2894 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2895 |
7940
46a02ed7c966
Style: added missing "static" specifiers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7936
diff
changeset
|
2896 static ssize_t |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2897 ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2898 { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2899 int n, sslerr; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2900 size_t written; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2901 ngx_err_t err; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2902 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2903 ngx_ssl_clear_error(c->log); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2904 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2905 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2906 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2907 written = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2908 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2909 n = SSL_write_early_data(c->ssl->connection, data, size, &written); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2910 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2911 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2912 "SSL_write_early_data: %d, %uz", n, written); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2913 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2914 if (n > 0) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2915 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2916 if (c->ssl->saved_read_handler) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2917 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2918 c->read->handler = c->ssl->saved_read_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2919 c->ssl->saved_read_handler = NULL; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2920 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2921 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2922 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2923 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2924 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2925 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2926 ngx_post_event(c->read, &ngx_posted_events); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2927 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2928 |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2929 if (c->ssl->write_blocked) { |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2930 c->ssl->write_blocked = 0; |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2931 ngx_post_event(c->read, &ngx_posted_events); |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2932 } |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2933 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2934 c->sent += written; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2935 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2936 return written; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2937 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2938 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2939 sslerr = SSL_get_error(c->ssl->connection, n); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2940 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2941 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2942 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2943 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2944 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2945 if (sslerr == SSL_ERROR_WANT_WRITE) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2946 |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2947 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2948 "SSL_write_early_data: want write"); |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2949 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2950 if (c->ssl->saved_read_handler) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2951 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2952 c->read->handler = c->ssl->saved_read_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2953 c->ssl->saved_read_handler = NULL; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2954 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2955 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2956 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2957 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2958 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2959 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2960 ngx_post_event(c->read, &ngx_posted_events); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2961 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2962 |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2963 /* |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2964 * OpenSSL 1.1.1a fails to handle SSL_read_early_data() |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2965 * if an SSL_write_early_data() call blocked on writing, |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2966 * see https://github.com/openssl/openssl/issues/7757 |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2967 */ |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2968 |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2969 c->ssl->write_blocked = 1; |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2970 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2971 c->write->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2972 return NGX_AGAIN; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2973 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2974 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2975 if (sslerr == SSL_ERROR_WANT_READ) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2976 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2977 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2978 "SSL_write_early_data: want read"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2979 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2980 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2981 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2982 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2983 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2984 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2985 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2986 /* |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2987 * we do not set the timer because there is already |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2988 * the write event timer |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2989 */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2990 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2991 if (c->ssl->saved_read_handler == NULL) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2992 c->ssl->saved_read_handler = c->read->handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2993 c->read->handler = ngx_ssl_read_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2994 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2995 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2996 return NGX_AGAIN; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2997 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2998 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2999 c->ssl->no_wait_shutdown = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
3000 c->ssl->no_send_shutdown = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
3001 c->write->error = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
3002 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
3003 ngx_ssl_connection_error(c, sslerr, err, "SSL_write_early_data() failed"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
3004 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
3005 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
3006 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
3007 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
3008 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
3009 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
3010 |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3011 static ssize_t |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3012 ngx_ssl_sendfile(ngx_connection_t *c, ngx_buf_t *file, size_t size) |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3013 { |
8068
0546ab9351c8
Win32: fixed build on Windows with OpenSSL 3.0.x (ticket #2379).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8065
diff
changeset
|
3014 #if (defined BIO_get_ktls_send && !NGX_WIN32) |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3015 |
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3016 int sslerr, flags; |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3017 ssize_t n; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3018 ngx_err_t err; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3019 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3020 ngx_ssl_clear_error(c->log); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3021 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3022 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3023 "SSL to sendfile: @%O %uz", |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3024 file->file_pos, size); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3025 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3026 ngx_set_errno(0); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3027 |
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3028 #if (NGX_HAVE_SENDFILE_NODISKIO) |
7987
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
3029 |
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3030 flags = (c->busy_count <= 2) ? SF_NODISKIO : 0; |
7987
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
3031 |
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
3032 if (file->file->directio) { |
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
3033 flags |= SF_NOCACHE; |
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
3034 } |
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
3035 |
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3036 #else |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3037 flags = 0; |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3038 #endif |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3039 |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3040 n = SSL_sendfile(c->ssl->connection, file->file->fd, file->file_pos, |
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3041 size, flags); |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3042 |
8107
0b360747c74e
SSL: fixed debug logging of SSL_sendfile() return value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8087
diff
changeset
|
3043 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_sendfile: %z", n); |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3044 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3045 if (n > 0) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3046 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3047 if (c->ssl->saved_read_handler) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3048 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3049 c->read->handler = c->ssl->saved_read_handler; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3050 c->ssl->saved_read_handler = NULL; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3051 c->read->ready = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3052 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3053 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3054 return NGX_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3055 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3056 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3057 ngx_post_event(c->read, &ngx_posted_events); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3058 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3059 |
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3060 #if (NGX_HAVE_SENDFILE_NODISKIO) |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3061 c->busy_count = 0; |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3062 #endif |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3063 |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3064 c->sent += n; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3065 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3066 return n; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3067 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3068 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3069 if (n == 0) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3070 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3071 /* |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3072 * if sendfile returns zero, then someone has truncated the file, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3073 * so the offset became beyond the end of the file |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3074 */ |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3075 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3076 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3077 "SSL_sendfile() reported that \"%s\" was truncated at %O", |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3078 file->file->name.data, file->file_pos); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3079 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3080 return NGX_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3081 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3082 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3083 sslerr = SSL_get_error(c->ssl->connection, n); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3084 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3085 if (sslerr == SSL_ERROR_ZERO_RETURN) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3086 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3087 /* |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3088 * OpenSSL fails to return SSL_ERROR_SYSCALL if an error |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3089 * happens during writing after close_notify alert from the |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3090 * peer, and returns SSL_ERROR_ZERO_RETURN instead |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3091 */ |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3092 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3093 sslerr = SSL_ERROR_SYSCALL; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3094 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3095 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3096 if (sslerr == SSL_ERROR_SSL |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3097 && ERR_GET_REASON(ERR_peek_error()) == SSL_R_UNINITIALIZED |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3098 && ngx_errno != 0) |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3099 { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3100 /* |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3101 * OpenSSL fails to return SSL_ERROR_SYSCALL if an error |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3102 * happens in sendfile(), and returns SSL_ERROR_SSL with |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3103 * SSL_R_UNINITIALIZED reason instead |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3104 */ |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3105 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3106 sslerr = SSL_ERROR_SYSCALL; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3107 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3108 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3109 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3110 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3111 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3112 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3113 if (sslerr == SSL_ERROR_WANT_WRITE) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3114 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3115 if (c->ssl->saved_read_handler) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3116 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3117 c->read->handler = c->ssl->saved_read_handler; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3118 c->ssl->saved_read_handler = NULL; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3119 c->read->ready = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3120 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3121 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3122 return NGX_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3123 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3124 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3125 ngx_post_event(c->read, &ngx_posted_events); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3126 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3127 |
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3128 #if (NGX_HAVE_SENDFILE_NODISKIO) |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3129 |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3130 if (ngx_errno == EBUSY) { |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3131 c->busy_count++; |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3132 |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3133 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3134 "SSL_sendfile() busy, count:%d", c->busy_count); |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3135 |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3136 if (c->write->posted) { |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3137 ngx_delete_posted_event(c->write); |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3138 } |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3139 |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3140 ngx_post_event(c->write, &ngx_posted_next_events); |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3141 } |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3142 |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3143 #endif |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3144 |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3145 c->write->ready = 0; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3146 return NGX_AGAIN; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3147 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3148 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3149 if (sslerr == SSL_ERROR_WANT_READ) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3150 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3151 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3152 "SSL_sendfile: want read"); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3153 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3154 c->read->ready = 0; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3155 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3156 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3157 return NGX_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3158 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3159 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3160 /* |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3161 * we do not set the timer because there is already |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3162 * the write event timer |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3163 */ |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3164 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3165 if (c->ssl->saved_read_handler == NULL) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3166 c->ssl->saved_read_handler = c->read->handler; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3167 c->read->handler = ngx_ssl_read_handler; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3168 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3169 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3170 return NGX_AGAIN; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3171 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3172 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3173 c->ssl->no_wait_shutdown = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3174 c->ssl->no_send_shutdown = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3175 c->write->error = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3176 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3177 ngx_ssl_connection_error(c, sslerr, err, "SSL_sendfile() failed"); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3178 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3179 #else |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3180 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3181 "SSL_sendfile() not available"); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3182 #endif |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3183 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3184 return NGX_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3185 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3186 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3187 |
489 | 3188 static void |
3189 ngx_ssl_read_handler(ngx_event_t *rev) | |
473 | 3190 { |
3191 ngx_connection_t *c; | |
3192 | |
3193 c = rev->data; | |
547 | 3194 |
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
3195 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL read handler"); |
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
3196 |
509 | 3197 c->write->handler(c->write); |
473 | 3198 } |
3199 | |
3200 | |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3201 void |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3202 ngx_ssl_free_buffer(ngx_connection_t *c) |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3203 { |
1795
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
3204 if (c->ssl->buf && c->ssl->buf->start) { |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
3205 if (ngx_pfree(c->pool, c->ssl->buf->start) == NGX_OK) { |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
3206 c->ssl->buf->start = NULL; |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
3207 } |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3208 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3209 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3210 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3211 |
489 | 3212 ngx_int_t |
3213 ngx_ssl_shutdown(ngx_connection_t *c) | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3214 { |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3215 int n, sslerr, mode; |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3216 ngx_int_t rc; |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3217 ngx_err_t err; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3218 ngx_uint_t tries; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3219 |
8485
b0953b020be7
SSL: fixed compilation without QUIC after 0d2b2664b41c.
Roman Arutyunyan <arut@nginx.com>
parents:
8468
diff
changeset
|
3220 #if (NGX_QUIC) |
8630
279ad36f2f4b
QUIC: renamed c->qs to c->quic.
Roman Arutyunyan <arut@nginx.com>
parents:
8618
diff
changeset
|
3221 if (c->quic) { |
8272
7f0981be07c4
Fixed client certificate verification.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8232
diff
changeset
|
3222 /* QUIC streams inherit SSL object */ |
7f0981be07c4
Fixed client certificate verification.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8232
diff
changeset
|
3223 return NGX_OK; |
7f0981be07c4
Fixed client certificate verification.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8232
diff
changeset
|
3224 } |
8485
b0953b020be7
SSL: fixed compilation without QUIC after 0d2b2664b41c.
Roman Arutyunyan <arut@nginx.com>
parents:
8468
diff
changeset
|
3225 #endif |
8272
7f0981be07c4
Fixed client certificate verification.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8232
diff
changeset
|
3226 |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3227 rc = NGX_OK; |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3228 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
3229 ngx_ssl_ocsp_cleanup(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
3230 |
6407
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3231 if (SSL_in_init(c->ssl->connection)) { |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3232 /* |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3233 * OpenSSL 1.0.2f complains if SSL_shutdown() is called during |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3234 * an SSL handshake, while previous versions always return 0. |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3235 * Avoid calling SSL_shutdown() if handshake wasn't completed. |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3236 */ |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3237 |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3238 goto done; |
6407
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3239 } |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3240 |
7709
052ecc68d350
SSL: disabled shutdown when there are buffered data.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7708
diff
changeset
|
3241 if (c->timedout || c->error || c->buffered) { |
547 | 3242 mode = SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN; |
4064
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3243 SSL_set_quiet_shutdown(c->ssl->connection, 1); |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3244 |
547 | 3245 } else { |
3246 mode = SSL_get_shutdown(c->ssl->connection); | |
473 | 3247 |
547 | 3248 if (c->ssl->no_wait_shutdown) { |
3249 mode |= SSL_RECEIVED_SHUTDOWN; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3250 } |
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3251 |
547 | 3252 if (c->ssl->no_send_shutdown) { |
3253 mode |= SSL_SENT_SHUTDOWN; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3254 } |
4064
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3255 |
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3256 if (c->ssl->no_wait_shutdown && c->ssl->no_send_shutdown) { |
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3257 SSL_set_quiet_shutdown(c->ssl->connection, 1); |
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3258 } |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3259 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3260 |
547 | 3261 SSL_set_shutdown(c->ssl->connection, mode); |
3262 | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3263 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3264 |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3265 tries = 2; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3266 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3267 for ( ;; ) { |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3268 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3269 /* |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3270 * For bidirectional shutdown, SSL_shutdown() needs to be called |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3271 * twice: first call sends the "close notify" alert and returns 0, |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3272 * second call waits for the peer's "close notify" alert. |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3273 */ |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3274 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3275 n = SSL_shutdown(c->ssl->connection); |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3276 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3277 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3278 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3279 if (n == 1) { |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3280 goto done; |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3281 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3282 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3283 if (n == 0 && tries-- > 1) { |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3284 continue; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3285 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3286 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3287 /* before 0.9.8m SSL_shutdown() returned 0 instead of -1 on errors */ |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3288 |
543 | 3289 sslerr = SSL_get_error(c->ssl->connection, n); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3290 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3291 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3292 "SSL_get_error: %d", sslerr); |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3293 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3294 if (sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE) { |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3295 c->read->handler = ngx_ssl_shutdown_handler; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3296 c->write->handler = ngx_ssl_shutdown_handler; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3297 |
7707
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3298 if (sslerr == SSL_ERROR_WANT_READ) { |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3299 c->read->ready = 0; |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3300 |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3301 } else { |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3302 c->write->ready = 0; |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3303 } |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3304 |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3305 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3306 goto failed; |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3307 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3308 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3309 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3310 goto failed; |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3311 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3312 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3313 ngx_add_timer(c->read, 3000); |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3314 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3315 return NGX_AGAIN; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3316 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3317 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3318 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3319 goto done; |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3320 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3321 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3322 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3323 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3324 ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed"); |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3325 |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3326 break; |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3327 } |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3328 |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3329 failed: |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3330 |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3331 rc = NGX_ERROR; |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3332 |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3333 done: |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3334 |
7871
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3335 if (c->ssl->shutdown_without_free) { |
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3336 c->ssl->shutdown_without_free = 0; |
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3337 c->recv = ngx_recv; |
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3338 return rc; |
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3339 } |
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3340 |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3341 SSL_free(c->ssl->connection); |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3342 c->ssl = NULL; |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3343 c->recv = ngx_recv; |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3344 |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3345 return rc; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3346 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3347 |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3348 |
547 | 3349 static void |
577 | 3350 ngx_ssl_shutdown_handler(ngx_event_t *ev) |
3351 { | |
3352 ngx_connection_t *c; | |
3353 ngx_connection_handler_pt handler; | |
3354 | |
3355 c = ev->data; | |
3356 handler = c->ssl->handler; | |
3357 | |
3358 if (ev->timedout) { | |
3359 c->timedout = 1; | |
3360 } | |
3361 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3362 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler"); |
577 | 3363 |
3364 if (ngx_ssl_shutdown(c) == NGX_AGAIN) { | |
3365 return; | |
3366 } | |
3367 | |
3368 handler(c); | |
3369 } | |
3370 | |
3371 | |
3372 static void | |
547 | 3373 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, |
3374 char *text) | |
3375 { | |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3376 int n; |
547 | 3377 ngx_uint_t level; |
3378 | |
3379 level = NGX_LOG_CRIT; | |
3380 | |
3381 if (sslerr == SSL_ERROR_SYSCALL) { | |
3382 | |
3383 if (err == NGX_ECONNRESET | |
7560
2432a687e789
SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7509
diff
changeset
|
3384 #if (NGX_WIN32) |
2432a687e789
SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7509
diff
changeset
|
3385 || err == NGX_ECONNABORTED |
2432a687e789
SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7509
diff
changeset
|
3386 #endif |
547 | 3387 || err == NGX_EPIPE |
3388 || err == NGX_ENOTCONN | |
589 | 3389 || err == NGX_ETIMEDOUT |
547 | 3390 || err == NGX_ECONNREFUSED |
1869
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
3391 || err == NGX_ENETDOWN |
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
3392 || err == NGX_ENETUNREACH |
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
3393 || err == NGX_EHOSTDOWN |
547 | 3394 || err == NGX_EHOSTUNREACH) |
3395 { | |
3396 switch (c->log_error) { | |
3397 | |
3398 case NGX_ERROR_IGNORE_ECONNRESET: | |
3399 case NGX_ERROR_INFO: | |
3400 level = NGX_LOG_INFO; | |
3401 break; | |
3402 | |
3403 case NGX_ERROR_ERR: | |
3404 level = NGX_LOG_ERR; | |
3405 break; | |
3406 | |
3407 default: | |
3408 break; | |
3409 } | |
3410 } | |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3411 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3412 } else if (sslerr == SSL_ERROR_SSL) { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3413 |
8143
69c7df4fe5d3
SSL: switched to detect log level based on the last error.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8110
diff
changeset
|
3414 n = ERR_GET_REASON(ERR_peek_last_error()); |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3415 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3416 /* handshake failures */ |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3417 if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */ |
7360
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3418 #ifdef SSL_R_NO_SUITABLE_KEY_SHARE |
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3419 || n == SSL_R_NO_SUITABLE_KEY_SHARE /* 101 */ |
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3420 #endif |
8146
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3421 #ifdef SSL_R_BAD_ALERT |
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3422 || n == SSL_R_BAD_ALERT /* 102 */ |
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3423 #endif |
8054
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3424 #ifdef SSL_R_BAD_KEY_SHARE |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3425 || n == SSL_R_BAD_KEY_SHARE /* 108 */ |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3426 #endif |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3427 #ifdef SSL_R_BAD_EXTENSION |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3428 || n == SSL_R_BAD_EXTENSION /* 110 */ |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3429 #endif |
8144
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3430 || n == SSL_R_BAD_DIGEST_LENGTH /* 111 */ |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3431 #ifdef SSL_R_MISSING_SIGALGS_EXTENSION |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3432 || n == SSL_R_MISSING_SIGALGS_EXTENSION /* 112 */ |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3433 #endif |
8145
64db9e50f6c5
SSL: logging levels of errors observed with tlsfuzzer and LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8144
diff
changeset
|
3434 || n == SSL_R_BAD_PACKET_LENGTH /* 115 */ |
7361
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3435 #ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM |
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3436 || n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM /* 118 */ |
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3437 #endif |
8144
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3438 #ifdef SSL_R_BAD_KEY_UPDATE |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3439 || n == SSL_R_BAD_KEY_UPDATE /* 122 */ |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3440 #endif |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3441 || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ |
8144
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3442 || n == SSL_R_CCS_RECEIVED_EARLY /* 133 */ |
8146
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3443 #ifdef SSL_R_DECODE_ERROR |
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3444 || n == SSL_R_DECODE_ERROR /* 137 */ |
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3445 #endif |
8144
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3446 #ifdef SSL_R_DATA_BETWEEN_CCS_AND_FINISHED |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3447 || n == SSL_R_DATA_BETWEEN_CCS_AND_FINISHED /* 145 */ |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3448 #endif |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3449 || n == SSL_R_DATA_LENGTH_TOO_LONG /* 146 */ |
3718
bfd84b583868
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3516
diff
changeset
|
3450 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ |
8144
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3451 || n == SSL_R_ENCRYPTED_LENGTH_TOO_LONG /* 150 */ |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3452 || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3453 || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ |
8144
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3454 #ifdef SSL_R_GOT_A_FIN_BEFORE_A_CCS |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3455 || n == SSL_R_GOT_A_FIN_BEFORE_A_CCS /* 154 */ |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3456 #endif |
7311
778358452a81
SSL: logging level of "https proxy request" errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7291
diff
changeset
|
3457 || n == SSL_R_HTTPS_PROXY_REQUEST /* 155 */ |
778358452a81
SSL: logging level of "https proxy request" errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7291
diff
changeset
|
3458 || n == SSL_R_HTTP_REQUEST /* 156 */ |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
3459 || n == SSL_R_LENGTH_MISMATCH /* 159 */ |
8144
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3460 #ifdef SSL_R_LENGTH_TOO_SHORT |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3461 || n == SSL_R_LENGTH_TOO_SHORT /* 160 */ |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3462 #endif |
8146
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3463 #ifdef SSL_R_NO_RENEGOTIATION |
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3464 || n == SSL_R_NO_RENEGOTIATION /* 182 */ |
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3465 #endif |
6652
1891b2892b68
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6591
diff
changeset
|
3466 #ifdef SSL_R_NO_CIPHERS_PASSED |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3467 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ |
6652
1891b2892b68
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6591
diff
changeset
|
3468 #endif |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
3469 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ |
8054
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3470 #ifdef SSL_R_BAD_CIPHER |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3471 || n == SSL_R_BAD_CIPHER /* 186 */ |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3472 #endif |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3473 || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3474 || n == SSL_R_NO_SHARED_CIPHER /* 193 */ |
8144
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3475 #ifdef SSL_R_PACKET_LENGTH_TOO_LONG |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3476 || n == SSL_R_PACKET_LENGTH_TOO_LONG /* 198 */ |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3477 #endif |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
3478 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ |
8146
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3479 #ifdef SSL_R_TOO_MANY_WARNING_ALERTS |
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3480 || n == SSL_R_TOO_MANY_WARNING_ALERTS /* 220 */ |
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3481 #endif |
7472
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3482 #ifdef SSL_R_CLIENTHELLO_TLSEXT |
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3483 || n == SSL_R_CLIENTHELLO_TLSEXT /* 226 */ |
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3484 #endif |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3485 #ifdef SSL_R_PARSE_TLSEXT |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3486 || n == SSL_R_PARSE_TLSEXT /* 227 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3487 #endif |
7472
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3488 #ifdef SSL_R_CALLBACK_FAILED |
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3489 || n == SSL_R_CALLBACK_FAILED /* 234 */ |
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3490 #endif |
8145
64db9e50f6c5
SSL: logging levels of errors observed with tlsfuzzer and LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8144
diff
changeset
|
3491 #ifdef SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG |
64db9e50f6c5
SSL: logging levels of errors observed with tlsfuzzer and LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8144
diff
changeset
|
3492 || n == SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG /* 234 */ |
64db9e50f6c5
SSL: logging levels of errors observed with tlsfuzzer and LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8144
diff
changeset
|
3493 #endif |
7936
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
3494 #ifdef SSL_R_NO_APPLICATION_PROTOCOL |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
3495 || n == SSL_R_NO_APPLICATION_PROTOCOL /* 235 */ |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
3496 #endif |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3497 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3498 || n == SSL_R_UNEXPECTED_RECORD /* 245 */ |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
3499 || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */ |
3357
fc735aa50b8b
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3300
diff
changeset
|
3500 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ |
7361
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3501 #ifdef SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS |
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3502 || n == SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS /* 253 */ |
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3503 #endif |
8146
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3504 #ifdef SSL_R_INVALID_COMPRESSION_LIST |
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3505 || n == SSL_R_INVALID_COMPRESSION_LIST /* 256 */ |
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3506 #endif |
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3507 #ifdef SSL_R_MISSING_KEY_SHARE |
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3508 || n == SSL_R_MISSING_KEY_SHARE /* 258 */ |
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3509 #endif |
7317
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
3510 || n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */ |
7360
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3511 #ifdef SSL_R_NO_SHARED_GROUP |
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3512 || n == SSL_R_NO_SHARED_GROUP /* 266 */ |
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3513 #endif |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3514 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ |
8146
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3515 #ifdef SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA |
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3516 || n == SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA /* 270 */ |
b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8145
diff
changeset
|
3517 #endif |
8144
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3518 || n == SSL_R_BAD_LENGTH /* 271 */ |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3519 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ |
8009
a736a7a613ea
SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents:
7997
diff
changeset
|
3520 #ifdef SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY |
a736a7a613ea
SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents:
7997
diff
changeset
|
3521 || n == SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY /* 291 */ |
a736a7a613ea
SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents:
7997
diff
changeset
|
3522 #endif |
a736a7a613ea
SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents:
7997
diff
changeset
|
3523 #ifdef SSL_R_APPLICATION_DATA_ON_SHUTDOWN |
a736a7a613ea
SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents:
7997
diff
changeset
|
3524 || n == SSL_R_APPLICATION_DATA_ON_SHUTDOWN /* 291 */ |
a736a7a613ea
SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents:
7997
diff
changeset
|
3525 #endif |
8144
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3526 #ifdef SSL_R_BAD_LEGACY_VERSION |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3527 || n == SSL_R_BAD_LEGACY_VERSION /* 292 */ |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3528 #endif |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3529 #ifdef SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3530 || n == SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA /* 293 */ |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3531 #endif |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3532 #ifdef SSL_R_RECORD_TOO_SMALL |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3533 || n == SSL_R_RECORD_TOO_SMALL /* 298 */ |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3534 #endif |
8145
64db9e50f6c5
SSL: logging levels of errors observed with tlsfuzzer and LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8144
diff
changeset
|
3535 #ifdef SSL_R_SSL3_SESSION_ID_TOO_LONG |
64db9e50f6c5
SSL: logging levels of errors observed with tlsfuzzer and LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8144
diff
changeset
|
3536 || n == SSL_R_SSL3_SESSION_ID_TOO_LONG /* 300 */ |
64db9e50f6c5
SSL: logging levels of errors observed with tlsfuzzer and LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8144
diff
changeset
|
3537 #endif |
8054
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3538 #ifdef SSL_R_BAD_ECPOINT |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3539 || n == SSL_R_BAD_ECPOINT /* 306 */ |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3540 #endif |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3541 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3542 || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG /* 335 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3543 || n == SSL_R_RENEGOTIATION_ENCODING_ERR /* 336 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3544 || n == SSL_R_RENEGOTIATION_MISMATCH /* 337 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3545 #endif |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3546 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3547 || n == SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED /* 338 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3548 #endif |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3549 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3550 || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3551 #endif |
5902
b7a37f6a25ea
SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5892
diff
changeset
|
3552 #ifdef SSL_R_INAPPROPRIATE_FALLBACK |
b7a37f6a25ea
SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5892
diff
changeset
|
3553 || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */ |
b7a37f6a25ea
SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5892
diff
changeset
|
3554 #endif |
8144
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3555 #ifdef SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3556 || n == SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS /* 376 */ |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3557 #endif |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3558 #ifdef SSL_R_NO_SHARED_SIGATURE_ALGORITHMS |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3559 || n == SSL_R_NO_SHARED_SIGATURE_ALGORITHMS /* 376 */ |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3560 #endif |
7461
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
3561 #ifdef SSL_R_CERT_CB_ERROR |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
3562 || n == SSL_R_CERT_CB_ERROR /* 377 */ |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
3563 #endif |
7317
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
3564 #ifdef SSL_R_VERSION_TOO_LOW |
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
3565 || n == SSL_R_VERSION_TOO_LOW /* 396 */ |
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
3566 #endif |
8144
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3567 #ifdef SSL_R_TOO_MANY_WARN_ALERTS |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3568 || n == SSL_R_TOO_MANY_WARN_ALERTS /* 409 */ |
6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8143
diff
changeset
|
3569 #endif |
8063
9cf231508a8d
SSL: logging level of "bad record type" errors.
Murilo Andrade <murilo.b.andrade@gmail.com>
parents:
8054
diff
changeset
|
3570 #ifdef SSL_R_BAD_RECORD_TYPE |
9cf231508a8d
SSL: logging level of "bad record type" errors.
Murilo Andrade <murilo.b.andrade@gmail.com>
parents:
8054
diff
changeset
|
3571 || n == SSL_R_BAD_RECORD_TYPE /* 443 */ |
9cf231508a8d
SSL: logging level of "bad record type" errors.
Murilo Andrade <murilo.b.andrade@gmail.com>
parents:
8054
diff
changeset
|
3572 #endif |
1877
a55876dff8f5
low SSL handshake close notify alert error level
Igor Sysoev <igor@sysoev.ru>
parents:
1876
diff
changeset
|
3573 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ |
6486
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3574 #ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3575 || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3576 || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3577 || n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3578 || n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3579 || n == SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE /* 1030 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3580 || n == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE /* 1040 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3581 || n == SSL_R_SSLV3_ALERT_NO_CERTIFICATE /* 1041 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3582 || n == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE /* 1042 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3583 || n == SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE /* 1043 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3584 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED /* 1044 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3585 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED /* 1045 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3586 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN /* 1046 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3587 || n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER /* 1047 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3588 || n == SSL_R_TLSV1_ALERT_UNKNOWN_CA /* 1048 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3589 || n == SSL_R_TLSV1_ALERT_ACCESS_DENIED /* 1049 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3590 || n == SSL_R_TLSV1_ALERT_DECODE_ERROR /* 1050 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3591 || n == SSL_R_TLSV1_ALERT_DECRYPT_ERROR /* 1051 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3592 || n == SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION /* 1060 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3593 || n == SSL_R_TLSV1_ALERT_PROTOCOL_VERSION /* 1070 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3594 || n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3595 || n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3596 || n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */ |
6486
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3597 || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION /* 1100 */ |
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3598 #endif |
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3599 ) |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3600 { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3601 switch (c->log_error) { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3602 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3603 case NGX_ERROR_IGNORE_ECONNRESET: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3604 case NGX_ERROR_INFO: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3605 level = NGX_LOG_INFO; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3606 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3607 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3608 case NGX_ERROR_ERR: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3609 level = NGX_LOG_ERR; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3610 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3611 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3612 default: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3613 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3614 } |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3615 } |
547 | 3616 } |
3617 | |
3618 ngx_ssl_error(level, c->log, err, text); | |
3619 } | |
3620 | |
3621 | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3622 static void |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3623 ngx_ssl_clear_error(ngx_log_t *log) |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3624 { |
1868 | 3625 while (ERR_peek_error()) { |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3626 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error"); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3627 } |
1868 | 3628 |
3629 ERR_clear_error(); | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3630 } |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3631 |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3632 |
583 | 3633 void ngx_cdecl |
489 | 3634 ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...) |
577 | 3635 { |
4877
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3636 int flags; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3637 u_long n; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3638 va_list args; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3639 u_char *p, *last; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3640 u_char errstr[NGX_MAX_CONF_ERRSTR]; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3641 const char *data; |
461 | 3642 |
3643 last = errstr + NGX_MAX_CONF_ERRSTR; | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3644 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3645 va_start(args, fmt); |
2764
d4a717592877
use ngx_vslprintf(), ngx_slprintf()
Igor Sysoev <igor@sysoev.ru>
parents:
2720
diff
changeset
|
3646 p = ngx_vslprintf(errstr, last - 1, fmt, args); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3647 va_end(args); |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3648 |
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3649 if (ERR_peek_error()) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3650 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3651 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3652 for ( ;; ) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3653 |
7897
4195a6f0c61c
SSL: ERR_peek_error_line_data() compatibility with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7896
diff
changeset
|
3654 n = ERR_peek_error_data(&data, &flags); |
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3655 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3656 if (n == 0) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3657 break; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3658 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3659 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3660 /* ERR_error_string_n() requires at least one byte */ |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3661 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3662 if (p >= last - 1) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3663 goto next; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3664 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3665 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3666 *p++ = ' '; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3667 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3668 ERR_error_string_n(n, (char *) p, last - p); |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3669 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3670 while (p < last && *p) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3671 p++; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3672 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3673 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3674 if (p < last && *data && (flags & ERR_TXT_STRING)) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3675 *p++ = ':'; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3676 p = ngx_cpystrn(p, (u_char *) data, last - p); |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3677 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3678 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3679 next: |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3680 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3681 (void) ERR_get_error(); |
1861 | 3682 } |
3683 | |
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3684 if (p < last) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3685 *p++ = ')'; |
547 | 3686 } |
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3687 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3688 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3689 ngx_log_error(level, log, err, "%*s", p - errstr, errstr); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3690 } |
509 | 3691 |
3692 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3693 ngx_int_t |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3694 ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3695 ngx_array_t *certificates, ssize_t builtin_session_cache, |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3696 ngx_shm_zone_t *shm_zone, time_t timeout) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3697 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3698 long cache_mode; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3699 |
5424
767aa37f12de
SSL: SSL_CTX_set_timeout() now always called.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5423
diff
changeset
|
3700 SSL_CTX_set_timeout(ssl->ctx, (long) timeout); |
767aa37f12de
SSL: SSL_CTX_set_timeout() now always called.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5423
diff
changeset
|
3701 |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3702 if (ngx_ssl_session_id_context(ssl, sess_ctx, certificates) != NGX_OK) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3703 return NGX_ERROR; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3704 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3705 |
1778 | 3706 if (builtin_session_cache == NGX_SSL_NO_SCACHE) { |
3707 SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF); | |
3708 return NGX_OK; | |
3709 } | |
3710 | |
2032 | 3711 if (builtin_session_cache == NGX_SSL_NONE_SCACHE) { |
3712 | |
3713 /* | |
3714 * If the server explicitly says that it does not support | |
3715 * session reuse (see SSL_SESS_CACHE_OFF above), then | |
3716 * Outlook Express fails to upload a sent email to | |
3717 * the Sent Items folder on the IMAP server via a separate IMAP | |
6552 | 3718 * connection in the background. Therefore we have a special |
2032 | 3719 * mode (SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE) |
3720 * where the server pretends that it supports session reuse, | |
3721 * but it does not actually store any session. | |
3722 */ | |
3723 | |
3724 SSL_CTX_set_session_cache_mode(ssl->ctx, | |
3725 SSL_SESS_CACHE_SERVER | |
3726 |SSL_SESS_CACHE_NO_AUTO_CLEAR | |
3727 |SSL_SESS_CACHE_NO_INTERNAL_STORE); | |
3728 | |
3729 SSL_CTX_sess_set_cache_size(ssl->ctx, 1); | |
3730 | |
3731 return NGX_OK; | |
3732 } | |
3733 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3734 cache_mode = SSL_SESS_CACHE_SERVER; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3735 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3736 if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3737 cache_mode |= SSL_SESS_CACHE_NO_INTERNAL; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3738 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3739 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3740 SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3741 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3742 if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3743 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3744 if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3745 SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3746 } |
1015
32ebb6b13ff3
ssl_session_timeout was set only if builtin cache was used
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
3747 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3748 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3749 if (shm_zone) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3750 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3751 SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3752 SSL_CTX_sess_set_remove_cb(ssl->ctx, ngx_ssl_remove_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3753 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3754 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_cache_index, shm_zone) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3755 == 0) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3756 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3757 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3758 "SSL_CTX_set_ex_data() failed"); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3759 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3760 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3761 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3762 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3763 return NGX_OK; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3764 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3765 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3766 |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3767 static ngx_int_t |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3768 ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3769 ngx_array_t *certificates) |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3770 { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3771 int n, i; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3772 X509 *cert; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3773 X509_NAME *name; |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3774 ngx_str_t *certs; |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3775 ngx_uint_t k; |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3776 EVP_MD_CTX *md; |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3777 unsigned int len; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3778 STACK_OF(X509_NAME) *list; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3779 u_char buf[EVP_MAX_MD_SIZE]; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3780 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3781 /* |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3782 * Session ID context is set based on the string provided, |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3783 * the server certificates, and the client CA list. |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3784 */ |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3785 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3786 md = EVP_MD_CTX_create(); |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3787 if (md == NULL) { |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3788 return NGX_ERROR; |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3789 } |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3790 |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3791 if (EVP_DigestInit_ex(md, EVP_sha1(), NULL) == 0) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3792 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3793 "EVP_DigestInit_ex() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3794 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3795 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3796 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3797 if (EVP_DigestUpdate(md, sess_ctx->data, sess_ctx->len) == 0) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3798 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3799 "EVP_DigestUpdate() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3800 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3801 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3802 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3803 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3804 cert; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3805 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3806 { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3807 if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3808 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3809 "X509_digest() failed"); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3810 goto failed; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3811 } |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3812 |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3813 if (EVP_DigestUpdate(md, buf, len) == 0) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3814 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3815 "EVP_DigestUpdate() failed"); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3816 goto failed; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3817 } |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3818 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3819 |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
3820 if (SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index) == NULL |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
3821 && certificates != NULL) |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
3822 { |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3823 /* |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3824 * If certificates are loaded dynamically, we use certificate |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3825 * names as specified in the configuration (with variables). |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3826 */ |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3827 |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3828 certs = certificates->elts; |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3829 for (k = 0; k < certificates->nelts; k++) { |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3830 |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3831 if (EVP_DigestUpdate(md, certs[k].data, certs[k].len) == 0) { |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3832 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3833 "EVP_DigestUpdate() failed"); |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3834 goto failed; |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3835 } |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3836 } |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3837 } |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3838 |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3839 list = SSL_CTX_get_client_CA_list(ssl->ctx); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3840 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3841 if (list != NULL) { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3842 n = sk_X509_NAME_num(list); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3843 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3844 for (i = 0; i < n; i++) { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3845 name = sk_X509_NAME_value(list, i); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3846 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3847 if (X509_NAME_digest(name, EVP_sha1(), buf, &len) == 0) { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3848 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3849 "X509_NAME_digest() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3850 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3851 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3852 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3853 if (EVP_DigestUpdate(md, buf, len) == 0) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3854 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3855 "EVP_DigestUpdate() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3856 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3857 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3858 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3859 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3860 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3861 if (EVP_DigestFinal_ex(md, buf, &len) == 0) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3862 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
7455
992bf7540a98
SSL: fixed EVP_DigestFinal_ex() error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7454
diff
changeset
|
3863 "EVP_DigestFinal_ex() failed"); |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3864 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3865 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3866 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3867 EVP_MD_CTX_destroy(md); |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3868 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3869 if (SSL_CTX_set_session_id_context(ssl->ctx, buf, len) == 0) { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3870 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3871 "SSL_CTX_set_session_id_context() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3872 return NGX_ERROR; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3873 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3874 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3875 return NGX_OK; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3876 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3877 failed: |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3878 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3879 EVP_MD_CTX_destroy(md); |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3880 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3881 return NGX_ERROR; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3882 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3883 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3884 |
3992
a1dd9dc754ab
A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents:
3962
diff
changeset
|
3885 ngx_int_t |
993
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3886 ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3887 { |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3888 size_t len; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3889 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3890 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3891 |
993
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3892 if (data) { |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3893 shm_zone->data = data; |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3894 return NGX_OK; |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3895 } |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3896 |
5640
4c6ceca4f5f7
Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5634
diff
changeset
|
3897 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
4c6ceca4f5f7
Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5634
diff
changeset
|
3898 |
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3899 if (shm_zone->shm.exists) { |
5640
4c6ceca4f5f7
Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5634
diff
changeset
|
3900 shm_zone->data = shpool->data; |
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3901 return NGX_OK; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3902 } |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3903 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3904 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t)); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3905 if (cache == NULL) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3906 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3907 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3908 |
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3909 shpool->data = cache; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3910 shm_zone->data = cache; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3911 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3912 ngx_rbtree_init(&cache->session_rbtree, &cache->sentinel, |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3913 ngx_ssl_session_rbtree_insert_value); |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3914 |
1760 | 3915 ngx_queue_init(&cache->expire_queue); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3916 |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
3917 cache->ticket_keys[0].expire = 0; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
3918 cache->ticket_keys[1].expire = 0; |
8085
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
3919 cache->ticket_keys[2].expire = 0; |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
3920 |
8075
38c71f9b2293
SSL: reduced logging of session cache failures (ticket #621).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8074
diff
changeset
|
3921 cache->fail_time = 0; |
38c71f9b2293
SSL: reduced logging of session cache failures (ticket #621).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8074
diff
changeset
|
3922 |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
3923 len = sizeof(" in SSL session shared cache \"\"") + shm_zone->shm.name.len; |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3924 |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3925 shpool->log_ctx = ngx_slab_alloc(shpool, len); |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3926 if (shpool->log_ctx == NULL) { |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3927 return NGX_ERROR; |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3928 } |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3929 |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3930 ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z", |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
3931 &shm_zone->shm.name); |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3932 |
5634
5024d29354f1
Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
3933 shpool->log_nomem = 0; |
5024d29354f1
Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
3934 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3935 return NGX_OK; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3936 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3937 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3938 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3939 /* |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3940 * The length of the session id is 16 bytes for SSLv2 sessions and |
8076
fa4b4f38da4a
SSL: updated comment about session sizes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8075
diff
changeset
|
3941 * between 1 and 32 bytes for SSLv3 and TLS, typically 32 bytes. |
fa4b4f38da4a
SSL: updated comment about session sizes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8075
diff
changeset
|
3942 * Typical length of the external ASN1 representation of a session |
fa4b4f38da4a
SSL: updated comment about session sizes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8075
diff
changeset
|
3943 * is about 150 bytes plus SNI server name. |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3944 * |
8078
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
3945 * On 32-bit platforms we allocate an rbtree node, a session id, and |
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
3946 * an ASN1 representation in a single allocation, it typically takes |
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
3947 * 256 bytes. |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3948 * |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3949 * On 64-bit platforms we allocate separately an rbtree node + session_id, |
8076
fa4b4f38da4a
SSL: updated comment about session sizes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8075
diff
changeset
|
3950 * and an ASN1 representation, they take accordingly 128 and 256 bytes. |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3951 * |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3952 * OpenSSL's i2d_SSL_SESSION() and d2i_SSL_SESSION are slow, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3953 * so they are outside the code locked by shared pool mutex |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3954 */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3955 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3956 static int |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3957 ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3958 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3959 int len; |
8078
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
3960 u_char *p, *session_id; |
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
3961 size_t n; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3962 uint32_t hash; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3963 SSL_CTX *ssl_ctx; |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3964 unsigned int session_id_length; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3965 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3966 ngx_connection_t *c; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3967 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3968 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3969 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3970 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3971 |
8074
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3972 #ifdef TLS1_3_VERSION |
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3973 |
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3974 /* |
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3975 * OpenSSL tries to save TLSv1.3 sessions into session cache |
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3976 * even when using tickets for stateless session resumption, |
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3977 * "because some applications just want to know about the creation |
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3978 * of a session"; do not cache such sessions |
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3979 */ |
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3980 |
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3981 if (SSL_version(ssl_conn) == TLS1_3_VERSION |
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3982 && (SSL_get_options(ssl_conn) & SSL_OP_NO_TICKET) == 0) |
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3983 { |
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3984 return 0; |
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3985 } |
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3986 |
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3987 #endif |
026ee23b6774
SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8070
diff
changeset
|
3988 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3989 len = i2d_SSL_SESSION(sess, NULL); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3990 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3991 /* do not cache too big session */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3992 |
8087
81b4326daac7
SSL: removed cast not needed after 5ffd76a9ccf3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8086
diff
changeset
|
3993 if (len > NGX_SSL_MAX_SESSION_SIZE) { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3994 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3995 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3996 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3997 p = buf; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3998 i2d_SSL_SESSION(sess, &p); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3999 |
8077
ec1fa010c3a5
SSL: explicit session id length checking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8076
diff
changeset
|
4000 session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length); |
ec1fa010c3a5
SSL: explicit session id length checking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8076
diff
changeset
|
4001 |
ec1fa010c3a5
SSL: explicit session id length checking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8076
diff
changeset
|
4002 /* do not cache sessions with too long session id */ |
ec1fa010c3a5
SSL: explicit session id length checking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8076
diff
changeset
|
4003 |
ec1fa010c3a5
SSL: explicit session id length checking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8076
diff
changeset
|
4004 if (session_id_length > 32) { |
ec1fa010c3a5
SSL: explicit session id length checking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8076
diff
changeset
|
4005 return 0; |
ec1fa010c3a5
SSL: explicit session id length checking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8076
diff
changeset
|
4006 } |
ec1fa010c3a5
SSL: explicit session id length checking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8076
diff
changeset
|
4007 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4008 c = ngx_ssl_get_connection(ssl_conn); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4009 |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
4010 ssl_ctx = c->ssl->session_ctx; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4011 shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4012 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4013 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4014 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4015 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4016 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4017 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4018 /* drop one or two expired sessions */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4019 ngx_ssl_expire_sessions(cache, shpool, 1); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4020 |
8078
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4021 #if (NGX_PTR_SIZE == 8) |
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4022 n = sizeof(ngx_ssl_sess_id_t); |
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4023 #else |
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4024 n = offsetof(ngx_ssl_sess_id_t, session) + len; |
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4025 #endif |
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4026 |
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4027 sess_id = ngx_slab_alloc_locked(shpool, n); |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4028 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4029 if (sess_id == NULL) { |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4030 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4031 /* drop the oldest non-expired session and try once more */ |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4032 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4033 ngx_ssl_expire_sessions(cache, shpool, 0); |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4034 |
8078
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4035 sess_id = ngx_slab_alloc_locked(shpool, n); |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4036 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4037 if (sess_id == NULL) { |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4038 goto failed; |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4039 } |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4040 } |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4041 |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4042 #if (NGX_PTR_SIZE == 8) |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4043 |
8078
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4044 sess_id->session = ngx_slab_alloc_locked(shpool, len); |
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4045 |
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4046 if (sess_id->session == NULL) { |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4047 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4048 /* drop the oldest non-expired session and try once more */ |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4049 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4050 ngx_ssl_expire_sessions(cache, shpool, 0); |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4051 |
8078
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4052 sess_id->session = ngx_slab_alloc_locked(shpool, len); |
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4053 |
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4054 if (sess_id->session == NULL) { |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4055 goto failed; |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
4056 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4057 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4058 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4059 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4060 |
8078
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4061 ngx_memcpy(sess_id->session, buf, len); |
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4062 ngx_memcpy(sess_id->id, session_id, session_id_length); |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4063 |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4064 hash = ngx_crc32_short(session_id, session_id_length); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4065 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4066 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4067 "ssl new session: %08XD:%ud:%d", |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4068 hash, session_id_length, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4069 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4070 sess_id->node.key = hash; |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4071 sess_id->node.data = (u_char) session_id_length; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4072 sess_id->len = len; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4073 |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
4074 sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4075 |
1760 | 4076 ngx_queue_insert_head(&cache->expire_queue, &sess_id->queue); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4077 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
4078 ngx_rbtree_insert(&cache->session_rbtree, &sess_id->node); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4079 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4080 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4081 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4082 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4083 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4084 failed: |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4085 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4086 if (sess_id) { |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4087 ngx_slab_free_locked(shpool, sess_id); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4088 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4089 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4090 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4091 |
8075
38c71f9b2293
SSL: reduced logging of session cache failures (ticket #621).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8074
diff
changeset
|
4092 if (cache->fail_time != ngx_time()) { |
38c71f9b2293
SSL: reduced logging of session cache failures (ticket #621).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8074
diff
changeset
|
4093 cache->fail_time = ngx_time(); |
38c71f9b2293
SSL: reduced logging of session cache failures (ticket #621).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8074
diff
changeset
|
4094 ngx_log_error(NGX_LOG_WARN, c->log, 0, |
38c71f9b2293
SSL: reduced logging of session cache failures (ticket #621).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8074
diff
changeset
|
4095 "could not allocate new session%s", shpool->log_ctx); |
38c71f9b2293
SSL: reduced logging of session cache failures (ticket #621).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8074
diff
changeset
|
4096 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4097 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4098 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4099 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4100 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4101 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4102 static ngx_ssl_session_t * |
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
4103 ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
4104 #if OPENSSL_VERSION_NUMBER >= 0x10100003L |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
4105 const |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
4106 #endif |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
4107 u_char *id, int len, int *copy) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4108 { |
7365
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
4109 size_t slen; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4110 uint32_t hash; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4111 ngx_int_t rc; |
7509
b99cbafd51da
SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7484
diff
changeset
|
4112 const u_char *p; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4113 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4114 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4115 ngx_rbtree_node_t *node, *sentinel; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4116 ngx_ssl_session_t *sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4117 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4118 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4119 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; |
3961
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
4120 ngx_connection_t *c; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4121 |
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
4122 hash = ngx_crc32_short((u_char *) (uintptr_t) id, (size_t) len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4123 *copy = 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4124 |
3961
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
4125 c = ngx_ssl_get_connection(ssl_conn); |
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
4126 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4127 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
3155 | 4128 "ssl get session: %08XD:%d", hash, len); |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
4129 |
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
4130 shm_zone = SSL_CTX_get_ex_data(c->ssl->session_ctx, |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4131 ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4132 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4133 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4134 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4135 sess = NULL; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4136 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4137 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4138 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4139 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4140 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
4141 node = cache->session_rbtree.root; |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
4142 sentinel = cache->session_rbtree.sentinel; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4143 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4144 while (node != sentinel) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4145 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4146 if (hash < node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4147 node = node->left; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4148 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4149 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4150 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4151 if (hash > node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4152 node = node->right; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4153 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4154 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4155 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4156 /* hash == node->key */ |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4157 |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4158 sess_id = (ngx_ssl_sess_id_t *) node; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4159 |
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
4160 rc = ngx_memn2cmp((u_char *) (uintptr_t) id, sess_id->id, |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
4161 (size_t) len, (size_t) node->data); |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4162 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4163 if (rc == 0) { |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4164 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4165 if (sess_id->expire > ngx_time()) { |
7365
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
4166 slen = sess_id->len; |
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
4167 |
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
4168 ngx_memcpy(buf, sess_id->session, slen); |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4169 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4170 ngx_shmtx_unlock(&shpool->mutex); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4171 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4172 p = buf; |
7365
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
4173 sess = d2i_SSL_SESSION(NULL, &p, slen); |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4174 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4175 return sess; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4176 } |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4177 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4178 ngx_queue_remove(&sess_id->queue); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4179 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4180 ngx_rbtree_delete(&cache->session_rbtree, node); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4181 |
8079
f106f4a68faf
SSL: explicit clearing of expired sessions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8078
diff
changeset
|
4182 ngx_explicit_memzero(sess_id->session, sess_id->len); |
f106f4a68faf
SSL: explicit clearing of expired sessions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8078
diff
changeset
|
4183 |
8078
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4184 #if (NGX_PTR_SIZE == 8) |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4185 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4186 #endif |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4187 ngx_slab_free_locked(shpool, sess_id); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4188 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4189 sess = NULL; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4190 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4191 goto done; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4192 } |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4193 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4194 node = (rc < 0) ? node->left : node->right; |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4195 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4196 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4197 done: |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4198 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4199 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4200 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4201 return sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4202 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4203 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4204 |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4205 void |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4206 ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4207 { |
6474 | 4208 SSL_CTX_remove_session(ssl, sess); |
4209 | |
4210 ngx_ssl_remove_session(ssl, sess); | |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4211 } |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4212 |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4213 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4214 static void |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4215 ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4216 { |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4217 u_char *id; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4218 uint32_t hash; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4219 ngx_int_t rc; |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4220 unsigned int len; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4221 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4222 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4223 ngx_rbtree_node_t *node, *sentinel; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4224 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4225 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4226 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4227 shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4228 |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4229 if (shm_zone == NULL) { |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4230 return; |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4231 } |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4232 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4233 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4234 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4235 id = (u_char *) SSL_SESSION_get_id(sess, &len); |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4236 |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4237 hash = ngx_crc32_short(id, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4238 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4239 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4240 "ssl remove session: %08XD:%ud", hash, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4241 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4242 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4243 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4244 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4245 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
4246 node = cache->session_rbtree.root; |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
4247 sentinel = cache->session_rbtree.sentinel; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4248 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4249 while (node != sentinel) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4250 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4251 if (hash < node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4252 node = node->left; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4253 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4254 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4255 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4256 if (hash > node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4257 node = node->right; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4258 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4259 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4260 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4261 /* hash == node->key */ |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4262 |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4263 sess_id = (ngx_ssl_sess_id_t *) node; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4264 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4265 rc = ngx_memn2cmp(id, sess_id->id, len, (size_t) node->data); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4266 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4267 if (rc == 0) { |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4268 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4269 ngx_queue_remove(&sess_id->queue); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4270 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4271 ngx_rbtree_delete(&cache->session_rbtree, node); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4272 |
8079
f106f4a68faf
SSL: explicit clearing of expired sessions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8078
diff
changeset
|
4273 ngx_explicit_memzero(sess_id->session, sess_id->len); |
f106f4a68faf
SSL: explicit clearing of expired sessions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8078
diff
changeset
|
4274 |
8078
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4275 #if (NGX_PTR_SIZE == 8) |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4276 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4277 #endif |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4278 ngx_slab_free_locked(shpool, sess_id); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4279 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4280 goto done; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4281 } |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4282 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4283 node = (rc < 0) ? node->left : node->right; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4284 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4285 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4286 done: |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4287 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4288 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4289 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4290 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4291 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4292 static void |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4293 ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4294 ngx_slab_pool_t *shpool, ngx_uint_t n) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4295 { |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
4296 time_t now; |
1760 | 4297 ngx_queue_t *q; |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
4298 ngx_ssl_sess_id_t *sess_id; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4299 |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
4300 now = ngx_time(); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4301 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4302 while (n < 3) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4303 |
1760 | 4304 if (ngx_queue_empty(&cache->expire_queue)) { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4305 return; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4306 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4307 |
1760 | 4308 q = ngx_queue_last(&cache->expire_queue); |
4309 | |
4310 sess_id = ngx_queue_data(q, ngx_ssl_sess_id_t, queue); | |
4311 | |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
4312 if (n++ != 0 && sess_id->expire > now) { |
1439 | 4313 return; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4314 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4315 |
1760 | 4316 ngx_queue_remove(q); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4317 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4318 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4319 "expire session: %08Xi", sess_id->node.key); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4320 |
1760 | 4321 ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node); |
4322 | |
8079
f106f4a68faf
SSL: explicit clearing of expired sessions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8078
diff
changeset
|
4323 ngx_explicit_memzero(sess_id->session, sess_id->len); |
f106f4a68faf
SSL: explicit clearing of expired sessions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8078
diff
changeset
|
4324 |
8078
5244d3b165ff
SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8077
diff
changeset
|
4325 #if (NGX_PTR_SIZE == 8) |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
4326 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4327 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4328 ngx_slab_free_locked(shpool, sess_id); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4329 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4330 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4331 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4332 |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4333 static void |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4334 ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4335 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel) |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4336 { |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4337 ngx_rbtree_node_t **p; |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4338 ngx_ssl_sess_id_t *sess_id, *sess_id_temp; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4339 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4340 for ( ;; ) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4341 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4342 if (node->key < temp->key) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4343 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4344 p = &temp->left; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4345 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4346 } else if (node->key > temp->key) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4347 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4348 p = &temp->right; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4349 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4350 } else { /* node->key == temp->key */ |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4351 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4352 sess_id = (ngx_ssl_sess_id_t *) node; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4353 sess_id_temp = (ngx_ssl_sess_id_t *) temp; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4354 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4355 p = (ngx_memn2cmp(sess_id->id, sess_id_temp->id, |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4356 (size_t) node->data, (size_t) temp->data) |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4357 < 0) ? &temp->left : &temp->right; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4358 } |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4359 |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4360 if (*p == sentinel) { |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4361 break; |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4362 } |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4363 |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4364 temp = *p; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4365 } |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4366 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4367 *p = node; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4368 node->parent = temp; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4369 node->left = sentinel; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4370 node->right = sentinel; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4371 ngx_rbt_red(node); |
1043
7073b87fa8e9
style fix: remove trailing spaces
Igor Sysoev <igor@sysoev.ru>
parents:
1029
diff
changeset
|
4372 } |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4373 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4374 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4375 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4376 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4377 ngx_int_t |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4378 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4379 { |
8081
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4380 u_char buf[80]; |
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4381 size_t size; |
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4382 ssize_t n; |
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4383 ngx_str_t *path; |
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4384 ngx_file_t file; |
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4385 ngx_uint_t i; |
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4386 ngx_array_t *keys; |
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4387 ngx_file_info_t fi; |
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4388 ngx_pool_cleanup_t *cln; |
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4389 ngx_ssl_ticket_key_t *key; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4390 |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4391 if (paths == NULL |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4392 && SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_session_cache_index) == NULL) |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4393 { |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4394 return NGX_OK; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4395 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4396 |
8085
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4397 keys = ngx_array_create(cf->pool, paths ? paths->nelts : 3, |
8081
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4398 sizeof(ngx_ssl_ticket_key_t)); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4399 if (keys == NULL) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4400 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4401 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4402 |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4403 cln = ngx_pool_cleanup_add(cf->pool, 0); |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4404 if (cln == NULL) { |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4405 return NGX_ERROR; |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4406 } |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4407 |
8082
c71e113b57d8
SSL: renamed session ticket key functions and data index.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8081
diff
changeset
|
4408 cln->handler = ngx_ssl_ticket_keys_cleanup; |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4409 cln->data = keys; |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4410 |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4411 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_ticket_keys_index, keys) == 0) { |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4412 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4413 "SSL_CTX_set_ex_data() failed"); |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4414 return NGX_ERROR; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4415 } |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4416 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4417 if (SSL_CTX_set_tlsext_ticket_key_cb(ssl->ctx, ngx_ssl_ticket_key_callback) |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4418 == 0) |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4419 { |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4420 ngx_log_error(NGX_LOG_WARN, cf->log, 0, |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4421 "nginx was built with Session Tickets support, however, " |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4422 "now it is linked dynamically to an OpenSSL library " |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4423 "which has no tlsext support, therefore Session Tickets " |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4424 "are not available"); |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4425 return NGX_OK; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4426 } |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4427 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4428 if (paths == NULL) { |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4429 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4430 /* placeholder for keys in shared memory */ |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4431 |
8085
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4432 key = ngx_array_push_n(keys, 3); |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4433 key[0].shared = 1; |
8085
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4434 key[0].expire = 0; |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4435 key[1].shared = 1; |
8085
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4436 key[1].expire = 0; |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4437 key[2].shared = 1; |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4438 key[2].expire = 0; |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4439 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4440 return NGX_OK; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4441 } |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4442 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4443 path = paths->elts; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4444 for (i = 0; i < paths->nelts; i++) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4445 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4446 if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4447 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4448 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4449 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4450 ngx_memzero(&file, sizeof(ngx_file_t)); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4451 file.name = path[i]; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4452 file.log = cf->log; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4453 |
7087
47b7ffc3339d
Fixed calls to ngx_open_file() in certain places.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7086
diff
changeset
|
4454 file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, |
47b7ffc3339d
Fixed calls to ngx_open_file() in certain places.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7086
diff
changeset
|
4455 NGX_FILE_OPEN, 0); |
7086 | 4456 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4457 if (file.fd == NGX_INVALID_FILE) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4458 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4459 ngx_open_file_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4460 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4461 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4462 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4463 if (ngx_fd_info(file.fd, &fi) == NGX_FILE_ERROR) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4464 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4465 ngx_fd_info_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4466 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4467 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4468 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4469 size = ngx_file_size(&fi); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4470 |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4471 if (size != 48 && size != 80) { |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4472 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4473 "\"%V\" must be 48 or 80 bytes", &file.name); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4474 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4475 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4476 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4477 n = ngx_read_file(&file, buf, size, 0); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4478 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4479 if (n == NGX_ERROR) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4480 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4481 ngx_read_file_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4482 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4483 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4484 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4485 if ((size_t) n != size) { |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4486 ngx_conf_log_error(NGX_LOG_CRIT, cf, 0, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4487 ngx_read_file_n " \"%V\" returned only " |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4488 "%z bytes instead of %uz", &file.name, n, size); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4489 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4490 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4491 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4492 key = ngx_array_push(keys); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4493 if (key == NULL) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4494 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4495 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4496 |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4497 key->shared = 0; |
8085
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4498 key->expire = 1; |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4499 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4500 if (size == 48) { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4501 key->size = 48; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4502 ngx_memcpy(key->name, buf, 16); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4503 ngx_memcpy(key->aes_key, buf + 16, 16); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4504 ngx_memcpy(key->hmac_key, buf + 32, 16); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4505 |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4506 } else { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4507 key->size = 80; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4508 ngx_memcpy(key->name, buf, 16); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4509 ngx_memcpy(key->hmac_key, buf + 16, 32); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4510 ngx_memcpy(key->aes_key, buf + 48, 32); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4511 } |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4512 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4513 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4514 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4515 ngx_close_file_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4516 } |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4517 |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4518 ngx_explicit_memzero(&buf, 80); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4519 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4520 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4521 return NGX_OK; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4522 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4523 failed: |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4524 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4525 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4526 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4527 ngx_close_file_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4528 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4529 |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4530 ngx_explicit_memzero(&buf, 80); |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4531 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4532 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4533 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4534 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4535 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4536 static int |
8082
c71e113b57d8
SSL: renamed session ticket key functions and data index.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8081
diff
changeset
|
4537 ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4538 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4539 HMAC_CTX *hctx, int enc) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4540 { |
8081
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4541 size_t size; |
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4542 SSL_CTX *ssl_ctx; |
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4543 ngx_uint_t i; |
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4544 ngx_array_t *keys; |
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4545 ngx_connection_t *c; |
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4546 ngx_ssl_ticket_key_t *key; |
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4547 const EVP_MD *digest; |
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4548 const EVP_CIPHER *cipher; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4549 |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
4550 c = ngx_ssl_get_connection(ssl_conn); |
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
4551 ssl_ctx = c->ssl->session_ctx; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4552 |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4553 if (ngx_ssl_rotate_ticket_keys(ssl_ctx, c->log) != NGX_OK) { |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4554 return -1; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4555 } |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4556 |
6686
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4557 #ifdef OPENSSL_NO_SHA256 |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4558 digest = EVP_sha1(); |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4559 #else |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4560 digest = EVP_sha256(); |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4561 #endif |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4562 |
8082
c71e113b57d8
SSL: renamed session ticket key functions and data index.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8081
diff
changeset
|
4563 keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_ticket_keys_index); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4564 if (keys == NULL) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4565 return -1; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4566 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4567 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4568 key = keys->elts; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4569 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4570 if (enc == 1) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4571 /* encrypt session ticket */ |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4572 |
5657
3b48f9e69e70
SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5640
diff
changeset
|
4573 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
8083
e13a271bdd40
SSL: shorter debug messages about session tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8082
diff
changeset
|
4574 "ssl ticket encrypt, key: \"%*xs\" (%s session)", |
7736
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7732
diff
changeset
|
4575 (size_t) 16, key[0].name, |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4576 SSL_session_reused(ssl_conn) ? "reused" : "new"); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4577 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4578 if (key[0].size == 48) { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4579 cipher = EVP_aes_128_cbc(); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4580 size = 16; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4581 |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4582 } else { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4583 cipher = EVP_aes_256_cbc(); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4584 size = 32; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4585 } |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4586 |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4587 if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) { |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4588 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "RAND_bytes() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4589 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4590 } |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4591 |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4592 if (EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv) != 1) { |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4593 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4594 "EVP_EncryptInit_ex() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4595 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4596 } |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4597 |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4598 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4599 if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4600 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4601 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4602 } |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4603 #else |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4604 HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL); |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4605 #endif |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4606 |
5760
4b668378ad8b
Style: use ngx_memcpy() instead of memcpy().
Piotr Sikora <piotr@cloudflare.com>
parents:
5756
diff
changeset
|
4607 ngx_memcpy(name, key[0].name, 16); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4608 |
6660
3eb1a92a2f05
SSL: adopted session ticket handling for OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6659
diff
changeset
|
4609 return 1; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4610 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4611 } else { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4612 /* decrypt session ticket */ |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4613 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4614 for (i = 0; i < keys->nelts; i++) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4615 if (ngx_memcmp(name, key[i].name, 16) == 0) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4616 goto found; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4617 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4618 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4619 |
5657
3b48f9e69e70
SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5640
diff
changeset
|
4620 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
8083
e13a271bdd40
SSL: shorter debug messages about session tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8082
diff
changeset
|
4621 "ssl ticket decrypt, key: \"%*xs\" not found", |
7736
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7732
diff
changeset
|
4622 (size_t) 16, name); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4623 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4624 return 0; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4625 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4626 found: |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4627 |
5657
3b48f9e69e70
SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5640
diff
changeset
|
4628 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
8083
e13a271bdd40
SSL: shorter debug messages about session tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8082
diff
changeset
|
4629 "ssl ticket decrypt, key: \"%*xs\"%s", |
7736
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7732
diff
changeset
|
4630 (size_t) 16, key[i].name, (i == 0) ? " (default)" : ""); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4631 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4632 if (key[i].size == 48) { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4633 cipher = EVP_aes_128_cbc(); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4634 size = 16; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4635 |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4636 } else { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4637 cipher = EVP_aes_256_cbc(); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4638 size = 32; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4639 } |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4640 |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4641 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4642 if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4643 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4644 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4645 } |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4646 #else |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4647 HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL); |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4648 #endif |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4649 |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4650 if (EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv) != 1) { |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4651 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4652 "EVP_DecryptInit_ex() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4653 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4654 } |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4655 |
7997
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4656 /* renew if TLSv1.3 */ |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4657 |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4658 #ifdef TLS1_3_VERSION |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4659 if (SSL_version(ssl_conn) == TLS1_3_VERSION) { |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4660 return 2; |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4661 } |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4662 #endif |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4663 |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4664 /* renew if non-default key */ |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4665 |
8085
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4666 if (i != 0 && key[i].expire) { |
7997
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4667 return 2; |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4668 } |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4669 |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4670 return 1; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4671 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4672 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4673 |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4674 |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4675 static ngx_int_t |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4676 ngx_ssl_rotate_ticket_keys(SSL_CTX *ssl_ctx, ngx_log_t *log) |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4677 { |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4678 time_t now, expire; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4679 ngx_array_t *keys; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4680 ngx_shm_zone_t *shm_zone; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4681 ngx_slab_pool_t *shpool; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4682 ngx_ssl_ticket_key_t *key; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4683 ngx_ssl_session_cache_t *cache; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4684 u_char buf[80]; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4685 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4686 keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_ticket_keys_index); |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4687 if (keys == NULL) { |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4688 return NGX_OK; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4689 } |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4690 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4691 key = keys->elts; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4692 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4693 if (!key[0].shared) { |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4694 return NGX_OK; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4695 } |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4696 |
8085
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4697 /* |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4698 * if we don't need to update expiration of the current key |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4699 * and the previous key is still needed, don't sync with shared |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4700 * memory to save some work; in the worst case other worker process |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4701 * will switch to the next key, but this process will still be able |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4702 * to decrypt tickets encrypted with it |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4703 */ |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4704 |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4705 now = ngx_time(); |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4706 expire = now + SSL_CTX_get_timeout(ssl_ctx); |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4707 |
8085
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4708 if (key[0].expire >= expire && key[1].expire >= now) { |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4709 return NGX_OK; |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4710 } |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4711 |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4712 shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index); |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4713 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4714 cache = shm_zone->data; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4715 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4716 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4717 ngx_shmtx_lock(&shpool->mutex); |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4718 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4719 key = cache->ticket_keys; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4720 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4721 if (key[0].expire == 0) { |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4722 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4723 /* initialize the current key */ |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4724 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4725 if (RAND_bytes(buf, 80) != 1) { |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4726 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "RAND_bytes() failed"); |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4727 ngx_shmtx_unlock(&shpool->mutex); |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4728 return NGX_ERROR; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4729 } |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4730 |
8085
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4731 key[0].shared = 1; |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4732 key[0].expire = expire; |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4733 key[0].size = 80; |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4734 ngx_memcpy(key[0].name, buf, 16); |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4735 ngx_memcpy(key[0].hmac_key, buf + 16, 32); |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4736 ngx_memcpy(key[0].aes_key, buf + 48, 32); |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4737 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4738 ngx_explicit_memzero(&buf, 80); |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4739 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4740 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, log, 0, |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4741 "ssl ticket key: \"%*xs\"", |
8085
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4742 (size_t) 16, key[0].name); |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4743 |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4744 /* |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4745 * copy the current key to the next key, as initialization of |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4746 * the previous key will replace the current key with the next |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4747 * key |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4748 */ |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4749 |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4750 key[2] = key[0]; |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4751 } |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4752 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4753 if (key[1].expire < now) { |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4754 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4755 /* |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4756 * if the previous key is no longer needed (or not initialized), |
8085
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4757 * replace it with the current key, replace the current key with |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4758 * the next key, and generate new next key |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4759 */ |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4760 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4761 key[1] = key[0]; |
8085
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4762 key[0] = key[2]; |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4763 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4764 if (RAND_bytes(buf, 80) != 1) { |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4765 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "RAND_bytes() failed"); |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4766 ngx_shmtx_unlock(&shpool->mutex); |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4767 return NGX_ERROR; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4768 } |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4769 |
8085
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4770 key[2].shared = 1; |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4771 key[2].expire = 0; |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4772 key[2].size = 80; |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4773 ngx_memcpy(key[2].name, buf, 16); |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4774 ngx_memcpy(key[2].hmac_key, buf + 16, 32); |
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4775 ngx_memcpy(key[2].aes_key, buf + 48, 32); |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4776 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4777 ngx_explicit_memzero(&buf, 80); |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4778 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4779 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, log, 0, |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4780 "ssl ticket key: \"%*xs\"", |
8085
043006e5a0b1
SSL: optimized rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8084
diff
changeset
|
4781 (size_t) 16, key[2].name); |
8084
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4782 } |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4783 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4784 /* |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4785 * update expiration of the current key: it is going to be needed |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4786 * at least till the session being created expires |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4787 */ |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4788 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4789 if (expire > key[0].expire) { |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4790 key[0].expire = expire; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4791 } |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4792 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4793 /* sync keys to the worker process memory */ |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4794 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4795 ngx_memcpy(keys->elts, cache->ticket_keys, |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4796 2 * sizeof(ngx_ssl_ticket_key_t)); |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4797 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4798 ngx_shmtx_unlock(&shpool->mutex); |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4799 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4800 return NGX_OK; |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4801 } |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4802 |
0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8083
diff
changeset
|
4803 |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4804 static void |
8082
c71e113b57d8
SSL: renamed session ticket key functions and data index.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8081
diff
changeset
|
4805 ngx_ssl_ticket_keys_cleanup(void *data) |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4806 { |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4807 ngx_array_t *keys = data; |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4808 |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4809 ngx_explicit_memzero(keys->elts, |
8081
4eeb53743d25
SSL: renamed session ticket key type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8079
diff
changeset
|
4810 keys->nelts * sizeof(ngx_ssl_ticket_key_t)); |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4811 } |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4812 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4813 #else |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4814 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4815 ngx_int_t |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4816 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4817 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4818 if (paths) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4819 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
7074
07a49cce21ca
SSL: fixed typo in the error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6995
diff
changeset
|
4820 "\"ssl_session_ticket_key\" ignored, not supported"); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4821 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4822 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4823 return NGX_OK; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4824 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4825 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4826 #endif |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4827 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4828 |
509 | 4829 void |
4830 ngx_ssl_cleanup_ctx(void *data) | |
4831 { | |
589 | 4832 ngx_ssl_t *ssl = data; |
509 | 4833 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4834 X509 *cert, *next; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4835 |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4836 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4837 |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4838 while (cert) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4839 next = X509_get_ex_data(cert, ngx_ssl_next_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4840 X509_free(cert); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4841 cert = next; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4842 } |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4843 |
589 | 4844 SSL_CTX_free(ssl->ctx); |
509 | 4845 } |
541 | 4846 |
4847 | |
671 | 4848 ngx_int_t |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4849 ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name) |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4850 { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4851 X509 *cert; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4852 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4853 cert = SSL_get_peer_certificate(c->ssl->connection); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4854 if (cert == NULL) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4855 return NGX_ERROR; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4856 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4857 |
6725
9b9ae81cd4f0
SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6699
diff
changeset
|
4858 #ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4859 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4860 /* X509_check_host() is only available in OpenSSL 1.0.2+ */ |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4861 |
5669
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4862 if (name->len == 0) { |
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4863 goto failed; |
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4864 } |
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4865 |
5767
abd460ece11e
SSL: fix build with recent OpenSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5760
diff
changeset
|
4866 if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) { |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4867 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4868 "X509_check_host(): no match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4869 goto failed; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4870 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4871 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4872 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4873 "X509_check_host(): match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4874 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4875 goto found; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4876 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4877 #else |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4878 { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4879 int n, i; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4880 X509_NAME *sname; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4881 ASN1_STRING *str; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4882 X509_NAME_ENTRY *entry; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4883 GENERAL_NAME *altname; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4884 STACK_OF(GENERAL_NAME) *altnames; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4885 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4886 /* |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4887 * As per RFC6125 and RFC2818, we check subjectAltName extension, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4888 * and if it's not present - commonName in Subject is checked. |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4889 */ |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4890 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4891 altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4892 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4893 if (altnames) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4894 n = sk_GENERAL_NAME_num(altnames); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4895 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4896 for (i = 0; i < n; i++) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4897 altname = sk_GENERAL_NAME_value(altnames, i); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4898 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4899 if (altname->type != GEN_DNS) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4900 continue; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4901 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4902 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4903 str = altname->d.dNSName; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4904 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4905 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4906 "SSL subjectAltName: \"%*s\"", |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4907 ASN1_STRING_length(str), ASN1_STRING_data(str)); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4908 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4909 if (ngx_ssl_check_name(name, str) == NGX_OK) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4910 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4911 "SSL subjectAltName: match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4912 GENERAL_NAMES_free(altnames); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4913 goto found; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4914 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4915 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4916 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4917 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4918 "SSL subjectAltName: no match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4919 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4920 GENERAL_NAMES_free(altnames); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4921 goto failed; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4922 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4923 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4924 /* |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4925 * If there is no subjectAltName extension, check commonName |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4926 * in Subject. While RFC2818 requires to only check "most specific" |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4927 * CN, both Apache and OpenSSL check all CNs, and so do we. |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4928 */ |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4929 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4930 sname = X509_get_subject_name(cert); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4931 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4932 if (sname == NULL) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4933 goto failed; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4934 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4935 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4936 i = -1; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4937 for ( ;; ) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4938 i = X509_NAME_get_index_by_NID(sname, NID_commonName, i); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4939 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4940 if (i < 0) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4941 break; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4942 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4943 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4944 entry = X509_NAME_get_entry(sname, i); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4945 str = X509_NAME_ENTRY_get_data(entry); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4946 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4947 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4948 "SSL commonName: \"%*s\"", |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4949 ASN1_STRING_length(str), ASN1_STRING_data(str)); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4950 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4951 if (ngx_ssl_check_name(name, str) == NGX_OK) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4952 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4953 "SSL commonName: match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4954 goto found; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4955 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4956 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4957 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4958 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4959 "SSL commonName: no match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4960 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4961 #endif |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4962 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4963 failed: |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4964 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4965 X509_free(cert); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4966 return NGX_ERROR; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4967 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4968 found: |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4969 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4970 X509_free(cert); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4971 return NGX_OK; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4972 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4973 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4974 |
6725
9b9ae81cd4f0
SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6699
diff
changeset
|
4975 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4976 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4977 static ngx_int_t |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4978 ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern) |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4979 { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4980 u_char *s, *p, *end; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4981 size_t slen, plen; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4982 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4983 s = name->data; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4984 slen = name->len; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4985 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4986 p = ASN1_STRING_data(pattern); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4987 plen = ASN1_STRING_length(pattern); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4988 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4989 if (slen == plen && ngx_strncasecmp(s, p, plen) == 0) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4990 return NGX_OK; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4991 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4992 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4993 if (plen > 2 && p[0] == '*' && p[1] == '.') { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4994 plen -= 1; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4995 p += 1; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4996 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4997 end = s + slen; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4998 s = ngx_strlchr(s, end, '.'); |
5666
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4999 |
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
5000 if (s == NULL) { |
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
5001 return NGX_ERROR; |
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
5002 } |
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
5003 |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
5004 slen = end - s; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
5005 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
5006 if (plen == slen && ngx_strncasecmp(s, p, plen) == 0) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
5007 return NGX_OK; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
5008 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
5009 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
5010 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
5011 return NGX_ERROR; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
5012 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
5013 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
5014 #endif |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
5015 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
5016 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
5017 ngx_int_t |
671 | 5018 ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
611 | 5019 { |
671 | 5020 s->data = (u_char *) SSL_get_version(c->ssl->connection); |
5021 return NGX_OK; | |
611 | 5022 } |
5023 | |
5024 | |
671 | 5025 ngx_int_t |
5026 ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
611 | 5027 { |
671 | 5028 s->data = (u_char *) SSL_get_cipher_name(c->ssl->connection); |
5029 return NGX_OK; | |
611 | 5030 } |
5031 | |
5032 | |
647 | 5033 ngx_int_t |
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5034 ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5035 { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5036 #ifdef SSL_CTRL_GET_RAW_CIPHERLIST |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5037 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5038 int n, i, bytes; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5039 size_t len; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5040 u_char *ciphers, *p; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5041 const SSL_CIPHER *cipher; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5042 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5043 bytes = SSL_get0_raw_cipherlist(c->ssl->connection, NULL); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5044 n = SSL_get0_raw_cipherlist(c->ssl->connection, &ciphers); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5045 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5046 if (n <= 0) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5047 s->len = 0; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5048 return NGX_OK; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5049 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5050 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5051 len = 0; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5052 n /= bytes; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5053 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5054 for (i = 0; i < n; i++) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5055 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5056 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5057 if (cipher) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5058 len += ngx_strlen(SSL_CIPHER_get_name(cipher)); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5059 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5060 } else { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5061 len += sizeof("0x") - 1 + bytes * (sizeof("00") - 1); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5062 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5063 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5064 len += sizeof(":") - 1; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5065 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5066 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5067 s->data = ngx_pnalloc(pool, len); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5068 if (s->data == NULL) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5069 return NGX_ERROR; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5070 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5071 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5072 p = s->data; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5073 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5074 for (i = 0; i < n; i++) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5075 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5076 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5077 if (cipher) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5078 p = ngx_sprintf(p, "%s", SSL_CIPHER_get_name(cipher)); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5079 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5080 } else { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5081 p = ngx_sprintf(p, "0x"); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5082 p = ngx_hex_dump(p, ciphers + i * bytes, bytes); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5083 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5084 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5085 *p++ = ':'; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5086 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5087 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5088 p--; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5089 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5090 s->len = p - s->data; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5091 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5092 #else |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5093 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5094 u_char buf[4096]; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5095 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5096 if (SSL_get_shared_ciphers(c->ssl->connection, (char *) buf, 4096) |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5097 == NULL) |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5098 { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5099 s->len = 0; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5100 return NGX_OK; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5101 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5102 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5103 s->len = ngx_strlen(buf); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5104 s->data = ngx_pnalloc(pool, s->len); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5105 if (s->data == NULL) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5106 return NGX_ERROR; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5107 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5108 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5109 ngx_memcpy(s->data, buf, s->len); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5110 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5111 #endif |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5112 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5113 return NGX_OK; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5114 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5115 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5116 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
5117 ngx_int_t |
7973
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5118 ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5119 { |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5120 #ifdef SSL_get_negotiated_group |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5121 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5122 int nid; |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5123 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5124 nid = SSL_get_negotiated_group(c->ssl->connection); |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5125 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5126 if (nid != NID_undef) { |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5127 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5128 if ((nid & TLSEXT_nid_unknown) == 0) { |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5129 s->len = ngx_strlen(OBJ_nid2sn(nid)); |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5130 s->data = (u_char *) OBJ_nid2sn(nid); |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5131 return NGX_OK; |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5132 } |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5133 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5134 s->len = sizeof("0x0000") - 1; |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5135 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5136 s->data = ngx_pnalloc(pool, s->len); |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5137 if (s->data == NULL) { |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5138 return NGX_ERROR; |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5139 } |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5140 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5141 ngx_sprintf(s->data, "0x%04xd", nid & 0xffff); |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5142 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5143 return NGX_OK; |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5144 } |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5145 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5146 #endif |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5147 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5148 s->len = 0; |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5149 return NGX_OK; |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5150 } |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5151 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5152 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
5153 ngx_int_t |
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5154 ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5155 { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5156 #ifdef SSL_CTRL_GET_CURVES |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5157 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5158 int *curves, n, i, nid; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5159 u_char *p; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5160 size_t len; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5161 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5162 n = SSL_get1_curves(c->ssl->connection, NULL); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5163 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5164 if (n <= 0) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5165 s->len = 0; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5166 return NGX_OK; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5167 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5168 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5169 curves = ngx_palloc(pool, n * sizeof(int)); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5170 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5171 n = SSL_get1_curves(c->ssl->connection, curves); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5172 len = 0; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5173 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5174 for (i = 0; i < n; i++) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5175 nid = curves[i]; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5176 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5177 if (nid & TLSEXT_nid_unknown) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5178 len += sizeof("0x0000") - 1; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5179 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5180 } else { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5181 len += ngx_strlen(OBJ_nid2sn(nid)); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5182 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5183 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5184 len += sizeof(":") - 1; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5185 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5186 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5187 s->data = ngx_pnalloc(pool, len); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5188 if (s->data == NULL) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5189 return NGX_ERROR; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5190 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5191 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5192 p = s->data; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5193 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5194 for (i = 0; i < n; i++) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5195 nid = curves[i]; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5196 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5197 if (nid & TLSEXT_nid_unknown) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5198 p = ngx_sprintf(p, "0x%04xd", nid & 0xffff); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5199 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5200 } else { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5201 p = ngx_sprintf(p, "%s", OBJ_nid2sn(nid)); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5202 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5203 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5204 *p++ = ':'; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5205 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5206 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5207 p--; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5208 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5209 s->len = p - s->data; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5210 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5211 #else |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5212 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5213 s->len = 0; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5214 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5215 #endif |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5216 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5217 return NGX_OK; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5218 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5219 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5220 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
5221 ngx_int_t |
3154 | 5222 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
5223 { | |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
5224 u_char *buf; |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
5225 SSL_SESSION *sess; |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
5226 unsigned int len; |
3154 | 5227 |
5228 sess = SSL_get0_session(c->ssl->connection); | |
5537
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
5229 if (sess == NULL) { |
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
5230 s->len = 0; |
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
5231 return NGX_OK; |
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
5232 } |
3154 | 5233 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
5234 buf = (u_char *) SSL_SESSION_get_id(sess, &len); |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
5235 |
3154 | 5236 s->len = 2 * len; |
5237 s->data = ngx_pnalloc(pool, 2 * len); | |
5238 if (s->data == NULL) { | |
5239 return NGX_ERROR; | |
5240 } | |
5241 | |
5242 ngx_hex_dump(s->data, buf, len); | |
5243 | |
5244 return NGX_OK; | |
5245 } | |
5246 | |
5247 | |
5248 ngx_int_t | |
5573
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
5249 ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
5250 { |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
5251 if (SSL_session_reused(c->ssl->connection)) { |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
5252 ngx_str_set(s, "r"); |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
5253 |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
5254 } else { |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
5255 ngx_str_set(s, "."); |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
5256 } |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
5257 |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
5258 return NGX_OK; |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
5259 } |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
5260 |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
5261 |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
5262 ngx_int_t |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
5263 ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
5264 { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
5265 s->len = 0; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
5266 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
5267 #ifdef SSL_ERROR_EARLY_DATA_REJECTED |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
5268 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
5269 /* BoringSSL */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
5270 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
5271 if (SSL_in_early_data(c->ssl->connection)) { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
5272 ngx_str_set(s, "1"); |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
5273 } |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
5274 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
5275 #elif defined SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
5276 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
5277 /* OpenSSL */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
5278 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
5279 if (!SSL_is_init_finished(c->ssl->connection)) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
5280 ngx_str_set(s, "1"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
5281 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
5282 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
5283 #endif |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
5284 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
5285 return NGX_OK; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
5286 } |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
5287 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
5288 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
5289 ngx_int_t |
5658
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5290 ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5291 { |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5292 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5293 |
7092
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
5294 size_t len; |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
5295 const char *name; |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
5296 |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
5297 name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name); |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
5298 |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
5299 if (name) { |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
5300 len = ngx_strlen(name); |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
5301 |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
5302 s->len = len; |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
5303 s->data = ngx_pnalloc(pool, len); |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
5304 if (s->data == NULL) { |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
5305 return NGX_ERROR; |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
5306 } |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
5307 |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
5308 ngx_memcpy(s->data, name, len); |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
5309 |
5658
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5310 return NGX_OK; |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5311 } |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5312 |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5313 #endif |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5314 |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5315 s->len = 0; |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5316 return NGX_OK; |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5317 } |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5318 |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5319 |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5320 ngx_int_t |
7935
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5321 ngx_ssl_get_alpn_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5322 { |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5323 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5324 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5325 unsigned int len; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5326 const unsigned char *data; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5327 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5328 SSL_get0_alpn_selected(c->ssl->connection, &data, &len); |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5329 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5330 if (len > 0) { |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5331 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5332 s->data = ngx_pnalloc(pool, len); |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5333 if (s->data == NULL) { |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5334 return NGX_ERROR; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5335 } |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5336 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5337 ngx_memcpy(s->data, data, len); |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5338 s->len = len; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5339 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5340 return NGX_OK; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5341 } |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5342 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5343 #endif |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5344 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5345 s->len = 0; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5346 return NGX_OK; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5347 } |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5348 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5349 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5350 ngx_int_t |
2123 | 5351 ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2045 | 5352 { |
5353 size_t len; | |
5354 BIO *bio; | |
5355 X509 *cert; | |
5356 | |
5357 s->len = 0; | |
5358 | |
5359 cert = SSL_get_peer_certificate(c->ssl->connection); | |
5360 if (cert == NULL) { | |
5361 return NGX_OK; | |
5362 } | |
5363 | |
5364 bio = BIO_new(BIO_s_mem()); | |
5365 if (bio == NULL) { | |
5366 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); | |
5367 X509_free(cert); | |
5368 return NGX_ERROR; | |
5369 } | |
5370 | |
5371 if (PEM_write_bio_X509(bio, cert) == 0) { | |
5372 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed"); | |
5373 goto failed; | |
5374 } | |
5375 | |
5376 len = BIO_pending(bio); | |
5377 s->len = len; | |
5378 | |
2049 | 5379 s->data = ngx_pnalloc(pool, len); |
2045 | 5380 if (s->data == NULL) { |
5381 goto failed; | |
5382 } | |
5383 | |
5384 BIO_read(bio, s->data, len); | |
5385 | |
5386 BIO_free(bio); | |
5387 X509_free(cert); | |
5388 | |
5389 return NGX_OK; | |
5390 | |
5391 failed: | |
5392 | |
5393 BIO_free(bio); | |
5394 X509_free(cert); | |
5395 | |
5396 return NGX_ERROR; | |
5397 } | |
5398 | |
5399 | |
5400 ngx_int_t | |
2123 | 5401 ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
5402 { | |
5403 u_char *p; | |
5404 size_t len; | |
5405 ngx_uint_t i; | |
5406 ngx_str_t cert; | |
5407 | |
5408 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) { | |
5409 return NGX_ERROR; | |
5410 } | |
5411 | |
5412 if (cert.len == 0) { | |
5413 s->len = 0; | |
5414 return NGX_OK; | |
5415 } | |
5416 | |
5417 len = cert.len - 1; | |
5418 | |
5419 for (i = 0; i < cert.len - 1; i++) { | |
5420 if (cert.data[i] == LF) { | |
5421 len++; | |
5422 } | |
5423 } | |
5424 | |
5425 s->len = len; | |
5426 s->data = ngx_pnalloc(pool, len); | |
5427 if (s->data == NULL) { | |
5428 return NGX_ERROR; | |
5429 } | |
5430 | |
5431 p = s->data; | |
5432 | |
3002
bf0c7e58e016
fix memory corruption in $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents:
2997
diff
changeset
|
5433 for (i = 0; i < cert.len - 1; i++) { |
2123 | 5434 *p++ = cert.data[i]; |
5435 if (cert.data[i] == LF) { | |
5436 *p++ = '\t'; | |
5437 } | |
5438 } | |
5439 | |
5440 return NGX_OK; | |
5441 } | |
5442 | |
5443 | |
5444 ngx_int_t | |
7091
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5445 ngx_ssl_get_escaped_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5446 ngx_str_t *s) |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5447 { |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5448 ngx_str_t cert; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5449 uintptr_t n; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5450 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5451 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) { |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5452 return NGX_ERROR; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5453 } |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5454 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5455 if (cert.len == 0) { |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5456 s->len = 0; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5457 return NGX_OK; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5458 } |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5459 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5460 n = ngx_escape_uri(NULL, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT); |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5461 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5462 s->len = cert.len + n * 2; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5463 s->data = ngx_pnalloc(pool, s->len); |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5464 if (s->data == NULL) { |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5465 return NGX_ERROR; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5466 } |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5467 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5468 ngx_escape_uri(s->data, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT); |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5469 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5470 return NGX_OK; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5471 } |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5472 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5473 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5474 ngx_int_t |
647 | 5475 ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
5476 { | |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5477 BIO *bio; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5478 X509 *cert; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5479 X509_NAME *name; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5480 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5481 s->len = 0; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5482 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5483 cert = SSL_get_peer_certificate(c->ssl->connection); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5484 if (cert == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5485 return NGX_OK; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5486 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5487 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5488 name = X509_get_subject_name(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5489 if (name == NULL) { |
7484
65074e13f171
SSL: missing free calls in $ssl_client_s_dn and $ssl_client_i_dn.
Nikolay Morozov <n.morozov@securitycode.ru>
parents:
7477
diff
changeset
|
5490 X509_free(cert); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5491 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5492 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5493 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5494 bio = BIO_new(BIO_s_mem()); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5495 if (bio == NULL) { |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5496 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5497 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5498 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5499 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5500 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5501 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) { |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5502 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_print_ex() failed"); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5503 goto failed; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5504 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5505 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5506 s->len = BIO_pending(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5507 s->data = ngx_pnalloc(pool, s->len); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5508 if (s->data == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5509 goto failed; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5510 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5511 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5512 BIO_read(bio, s->data, s->len); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5513 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5514 BIO_free(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5515 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5516 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5517 return NGX_OK; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5518 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5519 failed: |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5520 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5521 BIO_free(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5522 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5523 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5524 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5525 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5526 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5527 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5528 ngx_int_t |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5529 ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5530 { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5531 BIO *bio; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5532 X509 *cert; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5533 X509_NAME *name; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5534 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5535 s->len = 0; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5536 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5537 cert = SSL_get_peer_certificate(c->ssl->connection); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5538 if (cert == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5539 return NGX_OK; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5540 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5541 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5542 name = X509_get_issuer_name(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5543 if (name == NULL) { |
7484
65074e13f171
SSL: missing free calls in $ssl_client_s_dn and $ssl_client_i_dn.
Nikolay Morozov <n.morozov@securitycode.ru>
parents:
7477
diff
changeset
|
5544 X509_free(cert); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5545 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5546 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5547 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5548 bio = BIO_new(BIO_s_mem()); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5549 if (bio == NULL) { |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5550 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5551 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5552 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5553 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5554 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5555 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) { |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5556 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_print_ex() failed"); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5557 goto failed; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5558 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5559 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5560 s->len = BIO_pending(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5561 s->data = ngx_pnalloc(pool, s->len); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5562 if (s->data == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5563 goto failed; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5564 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5565 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5566 BIO_read(bio, s->data, s->len); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5567 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5568 BIO_free(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5569 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5570 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5571 return NGX_OK; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5572 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5573 failed: |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5574 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5575 BIO_free(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5576 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5577 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5578 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5579 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5580 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5581 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5582 ngx_int_t |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5583 ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5584 ngx_str_t *s) |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5585 { |
647 | 5586 char *p; |
5587 size_t len; | |
5588 X509 *cert; | |
5589 X509_NAME *name; | |
5590 | |
5591 s->len = 0; | |
5592 | |
5593 cert = SSL_get_peer_certificate(c->ssl->connection); | |
5594 if (cert == NULL) { | |
5595 return NGX_OK; | |
5596 } | |
5597 | |
5598 name = X509_get_subject_name(cert); | |
5599 if (name == NULL) { | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5600 X509_free(cert); |
647 | 5601 return NGX_ERROR; |
5602 } | |
5603 | |
5604 p = X509_NAME_oneline(name, NULL, 0); | |
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5605 if (p == NULL) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5606 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_oneline() failed"); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5607 X509_free(cert); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5608 return NGX_ERROR; |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5609 } |
647 | 5610 |
5611 for (len = 0; p[len]; len++) { /* void */ } | |
5612 | |
5613 s->len = len; | |
2049 | 5614 s->data = ngx_pnalloc(pool, len); |
647 | 5615 if (s->data == NULL) { |
5616 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5617 X509_free(cert); |
647 | 5618 return NGX_ERROR; |
5619 } | |
5620 | |
5621 ngx_memcpy(s->data, p, len); | |
5622 | |
5623 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5624 X509_free(cert); |
647 | 5625 |
5626 return NGX_OK; | |
5627 } | |
5628 | |
5629 | |
5630 ngx_int_t | |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5631 ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5632 ngx_str_t *s) |
647 | 5633 { |
5634 char *p; | |
5635 size_t len; | |
5636 X509 *cert; | |
5637 X509_NAME *name; | |
5638 | |
5639 s->len = 0; | |
5640 | |
5641 cert = SSL_get_peer_certificate(c->ssl->connection); | |
5642 if (cert == NULL) { | |
5643 return NGX_OK; | |
5644 } | |
5645 | |
5646 name = X509_get_issuer_name(cert); | |
5647 if (name == NULL) { | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5648 X509_free(cert); |
647 | 5649 return NGX_ERROR; |
5650 } | |
5651 | |
5652 p = X509_NAME_oneline(name, NULL, 0); | |
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5653 if (p == NULL) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5654 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_oneline() failed"); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5655 X509_free(cert); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5656 return NGX_ERROR; |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5657 } |
647 | 5658 |
5659 for (len = 0; p[len]; len++) { /* void */ } | |
5660 | |
5661 s->len = len; | |
2049 | 5662 s->data = ngx_pnalloc(pool, len); |
647 | 5663 if (s->data == NULL) { |
5664 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5665 X509_free(cert); |
647 | 5666 return NGX_ERROR; |
5667 } | |
5668 | |
5669 ngx_memcpy(s->data, p, len); | |
5670 | |
5671 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5672 X509_free(cert); |
647 | 5673 |
5674 return NGX_OK; | |
5675 } | |
5676 | |
5677 | |
671 | 5678 ngx_int_t |
5679 ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
5680 { | |
5681 size_t len; | |
5682 X509 *cert; | |
5683 BIO *bio; | |
5684 | |
5685 s->len = 0; | |
5686 | |
5687 cert = SSL_get_peer_certificate(c->ssl->connection); | |
5688 if (cert == NULL) { | |
5689 return NGX_OK; | |
5690 } | |
5691 | |
5692 bio = BIO_new(BIO_s_mem()); | |
5693 if (bio == NULL) { | |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5694 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5695 X509_free(cert); |
671 | 5696 return NGX_ERROR; |
5697 } | |
5698 | |
5699 i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)); | |
5700 len = BIO_pending(bio); | |
5701 | |
5702 s->len = len; | |
2049 | 5703 s->data = ngx_pnalloc(pool, len); |
671 | 5704 if (s->data == NULL) { |
5705 BIO_free(bio); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5706 X509_free(cert); |
671 | 5707 return NGX_ERROR; |
5708 } | |
5709 | |
5710 BIO_read(bio, s->data, len); | |
5711 BIO_free(bio); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5712 X509_free(cert); |
671 | 5713 |
5714 return NGX_OK; | |
5715 } | |
5716 | |
5717 | |
2994 | 5718 ngx_int_t |
5700
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5719 ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5720 { |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5721 X509 *cert; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5722 unsigned int len; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5723 u_char buf[EVP_MAX_MD_SIZE]; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5724 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5725 s->len = 0; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5726 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5727 cert = SSL_get_peer_certificate(c->ssl->connection); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5728 if (cert == NULL) { |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5729 return NGX_OK; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5730 } |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5731 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5732 if (!X509_digest(cert, EVP_sha1(), buf, &len)) { |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5733 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_digest() failed"); |
5700
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5734 X509_free(cert); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5735 return NGX_ERROR; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5736 } |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5737 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5738 s->len = 2 * len; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5739 s->data = ngx_pnalloc(pool, 2 * len); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5740 if (s->data == NULL) { |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5741 X509_free(cert); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5742 return NGX_ERROR; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5743 } |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5744 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5745 ngx_hex_dump(s->data, buf, len); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5746 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5747 X509_free(cert); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5748 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5749 return NGX_OK; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5750 } |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5751 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5752 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5753 ngx_int_t |
2994 | 5754 ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
5755 { | |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5756 X509 *cert; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5757 long rc; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5758 const char *str; |
2994 | 5759 |
5760 cert = SSL_get_peer_certificate(c->ssl->connection); | |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5761 if (cert == NULL) { |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3488
diff
changeset
|
5762 ngx_str_set(s, "NONE"); |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5763 return NGX_OK; |
2994 | 5764 } |
5765 | |
5766 X509_free(cert); | |
5767 | |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5768 rc = SSL_get_verify_result(c->ssl->connection); |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5769 |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5770 if (rc == X509_V_OK) { |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5771 if (ngx_ssl_ocsp_get_status(c, &str) == NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5772 ngx_str_set(s, "SUCCESS"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5773 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5774 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5775 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5776 } else { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5777 str = X509_verify_cert_error_string(rc); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5778 } |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5779 |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5780 s->data = ngx_pnalloc(pool, sizeof("FAILED:") - 1 + ngx_strlen(str)); |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5781 if (s->data == NULL) { |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5782 return NGX_ERROR; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5783 } |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5784 |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5785 s->len = ngx_sprintf(s->data, "FAILED:%s", str) - s->data; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5786 |
2994 | 5787 return NGX_OK; |
5788 } | |
5789 | |
5790 | |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5791 ngx_int_t |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5792 ngx_ssl_get_client_v_start(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5793 { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5794 BIO *bio; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5795 X509 *cert; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5796 size_t len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5797 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5798 s->len = 0; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5799 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5800 cert = SSL_get_peer_certificate(c->ssl->connection); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5801 if (cert == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5802 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5803 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5804 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5805 bio = BIO_new(BIO_s_mem()); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5806 if (bio == NULL) { |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5807 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5808 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5809 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5810 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5811 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5812 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5813 ASN1_TIME_print(bio, X509_get0_notBefore(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5814 #else |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5815 ASN1_TIME_print(bio, X509_get_notBefore(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5816 #endif |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5817 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5818 len = BIO_pending(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5819 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5820 s->len = len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5821 s->data = ngx_pnalloc(pool, len); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5822 if (s->data == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5823 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5824 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5825 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5826 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5827 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5828 BIO_read(bio, s->data, len); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5829 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5830 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5831 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5832 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5833 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5834 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5835 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5836 ngx_int_t |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5837 ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5838 { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5839 BIO *bio; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5840 X509 *cert; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5841 size_t len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5842 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5843 s->len = 0; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5844 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5845 cert = SSL_get_peer_certificate(c->ssl->connection); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5846 if (cert == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5847 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5848 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5849 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5850 bio = BIO_new(BIO_s_mem()); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5851 if (bio == NULL) { |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5852 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5853 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5854 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5855 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5856 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5857 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5858 ASN1_TIME_print(bio, X509_get0_notAfter(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5859 #else |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5860 ASN1_TIME_print(bio, X509_get_notAfter(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5861 #endif |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5862 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5863 len = BIO_pending(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5864 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5865 s->len = len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5866 s->data = ngx_pnalloc(pool, len); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5867 if (s->data == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5868 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5869 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5870 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5871 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5872 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5873 BIO_read(bio, s->data, len); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5874 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5875 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5876 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5877 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5878 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5879 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5880 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5881 ngx_int_t |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5882 ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5883 { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5884 X509 *cert; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5885 time_t now, end; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5886 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5887 s->len = 0; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5888 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5889 cert = SSL_get_peer_certificate(c->ssl->connection); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5890 if (cert == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5891 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5892 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5893 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5894 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5895 end = ngx_ssl_parse_time(X509_get0_notAfter(cert), c->log); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5896 #else |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5897 end = ngx_ssl_parse_time(X509_get_notAfter(cert), c->log); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5898 #endif |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5899 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5900 if (end == (time_t) NGX_ERROR) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5901 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5902 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5903 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5904 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5905 now = ngx_time(); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5906 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5907 if (end < now + 86400) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5908 ngx_str_set(s, "0"); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5909 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5910 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5911 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5912 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5913 s->data = ngx_pnalloc(pool, NGX_TIME_T_LEN); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5914 if (s->data == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5915 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5916 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5917 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5918 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5919 s->len = ngx_sprintf(s->data, "%T", (end - now) / 86400) - s->data; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5920 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5921 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5922 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5923 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5924 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5925 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5926 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5927 static time_t |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5928 ngx_ssl_parse_time( |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5929 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5930 const |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5931 #endif |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5932 ASN1_TIME *asn1time, ngx_log_t *log) |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5933 { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5934 BIO *bio; |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5935 char *value; |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5936 size_t len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5937 time_t time; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5938 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5939 /* |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5940 * OpenSSL doesn't provide a way to convert ASN1_TIME |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5941 * into time_t. To do this, we use ASN1_TIME_print(), |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5942 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g., |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5943 * "Feb 3 00:55:52 2015 GMT"), and parse the result. |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5944 */ |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5945 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5946 bio = BIO_new(BIO_s_mem()); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5947 if (bio == NULL) { |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5948 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "BIO_new() failed"); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5949 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5950 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5951 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5952 /* fake weekday prepended to match C asctime() format */ |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5953 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5954 BIO_write(bio, "Tue ", sizeof("Tue ") - 1); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5955 ASN1_TIME_print(bio, asn1time); |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5956 len = BIO_get_mem_data(bio, &value); |
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5957 |
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5958 time = ngx_parse_http_time((u_char *) value, len); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5959 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5960 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5961 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5962 return time; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5963 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5964 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5965 |
541 | 5966 static void * |
5967 ngx_openssl_create_conf(ngx_cycle_t *cycle) | |
5968 { | |
5969 ngx_openssl_conf_t *oscf; | |
577 | 5970 |
541 | 5971 oscf = ngx_pcalloc(cycle->pool, sizeof(ngx_openssl_conf_t)); |
5972 if (oscf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2764
diff
changeset
|
5973 return NULL; |
541 | 5974 } |
577 | 5975 |
541 | 5976 /* |
5977 * set by ngx_pcalloc(): | |
577 | 5978 * |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5979 * oscf->engine = 0; |
577 | 5980 */ |
541 | 5981 |
5982 return oscf; | |
5983 } | |
5984 | |
5985 | |
5986 static char * | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5987 ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
541 | 5988 { |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5989 #ifndef OPENSSL_NO_ENGINE |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5990 |
541 | 5991 ngx_openssl_conf_t *oscf = conf; |
571 | 5992 |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5993 ENGINE *engine; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5994 ngx_str_t *value; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5995 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5996 if (oscf->engine) { |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5997 return "is duplicate"; |
541 | 5998 } |
577 | 5999 |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
6000 oscf->engine = 1; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
6001 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
6002 value = cf->args->elts; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
6003 |
6552 | 6004 engine = ENGINE_by_id((char *) value[1].data); |
541 | 6005 |
6006 if (engine == NULL) { | |
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6687
diff
changeset
|
6007 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
6008 "ENGINE_by_id(\"%V\") failed", &value[1]); |
541 | 6009 return NGX_CONF_ERROR; |
6010 } | |
6011 | |
6012 if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) { | |
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6687
diff
changeset
|
6013 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
541 | 6014 "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed", |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
6015 &value[1]); |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
6016 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
6017 ENGINE_free(engine); |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
6018 |
541 | 6019 return NGX_CONF_ERROR; |
6020 } | |
6021 | |
6022 ENGINE_free(engine); | |
6023 | |
6024 return NGX_CONF_OK; | |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
6025 |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
6026 #else |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
6027 |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
6028 return "is not supported"; |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
6029 |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
6030 #endif |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
6031 } |
571 | 6032 |
6033 | |
6034 static void | |
6035 ngx_openssl_exit(ngx_cycle_t *cycle) | |
6036 { | |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
6037 #if OPENSSL_VERSION_NUMBER < 0x10100003L |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
6038 |
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
6039 EVP_cleanup(); |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
6040 #ifndef OPENSSL_NO_ENGINE |
571 | 6041 ENGINE_cleanup(); |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
6042 #endif |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
6043 |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
6044 #endif |
571 | 6045 } |