nginx: src/core/ngx_spinlock.c annotate

annotate src/core/ngx_spinlock.c @ 7360:8f25a44d9add

SSL: logging level of "no suitable key share". The "no suitable key share" errors are reported by OpenSSL 1.1.1 when using TLSv1.3 if there are no shared groups (that is, elliptic curves). In particular, it is easy enough to trigger by using only a single curve in ssl_ecdh_curve: ssl_ecdh_curve secp384r1; and using a different curve in the client: openssl s_client -connect 127.0.0.1:443 -curves prime256v1 On the client side it is seen as "sslv3 alert handshake failure", "SSL alert number 40": 0:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1528:SSL alert number 40 It can be also triggered with default ssl_ecdh_curve by using a curve which is not in the default list (X25519, prime256v1, X448, secp521r1, secp384r1): openssl s_client -connect 127.0.0.1:8443 -curves brainpoolP512r1 Given that many clients hardcode prime256v1, these errors might become a common problem with TLSv1.3 if ssl_ecdh_curve is redefined. Previously this resulted in not using ECDH with such clients, but with TLSv1.3 it is no longer possible and will result in a handshake failure. The SSL_R_NO_SHARED_GROUP error is what BoringSSL returns in the same situation. Seen at: https://serverfault.com/questions/932102/nginx-ssl-handshake-error-no-suitable-key-share

author	Maxim Dounin <mdounin@mdounin.ru>
date	Tue, 25 Sep 2018 13:59:53 +0300
parents	f737e406aa68
children

rev	line source
441 da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 435 diff changeset	1
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 435 diff changeset	2 /*
444 42d11f017717 nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright Igor Sysoev <igor@sysoev.ru> parents: 441 diff changeset	3 * Copyright (C) Igor Sysoev
4412 d620f497c50f Copyright updated. Maxim Konovalov <maxim@nginx.com> parents: 611 diff changeset	4 * Copyright (C) Nginx, Inc.
441 da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 435 diff changeset	5 */
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 435 diff changeset	6
373 018569a8f09c nginx-0.0.7-2004-06-30-19:30:41 import Igor Sysoev <igor@sysoev.ru> parents: 363 diff changeset	7
018569a8f09c nginx-0.0.7-2004-06-30-19:30:41 import Igor Sysoev <igor@sysoev.ru> parents: 363 diff changeset	8 #include <ngx_config.h>
018569a8f09c nginx-0.0.7-2004-06-30-19:30:41 import Igor Sysoev <igor@sysoev.ru> parents: 363 diff changeset	9 #include <ngx_core.h>
363 f2755a2885c8 nginx-0.0.7-2004-06-21-23:22:53 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	10
f2755a2885c8 nginx-0.0.7-2004-06-21-23:22:53 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	11
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 493 diff changeset	12 void
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	13 ngx_spinlock(ngx_atomic_t *lock, ngx_atomic_int_t value, ngx_uint_t spin)
363 f2755a2885c8 nginx-0.0.7-2004-06-21-23:22:53 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	14 {
435 5cdc4838d4e8 nginx-0.0.11-2004-09-22-20:18:21 import Igor Sysoev <igor@sysoev.ru> parents: 373 diff changeset	15
5cdc4838d4e8 nginx-0.0.11-2004-09-22-20:18:21 import Igor Sysoev <igor@sysoev.ru> parents: 373 diff changeset	16 #if (NGX_HAVE_ATOMIC_OPS)
5cdc4838d4e8 nginx-0.0.11-2004-09-22-20:18:21 import Igor Sysoev <igor@sysoev.ru> parents: 373 diff changeset	17
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	18 ngx_uint_t i, n;
363 f2755a2885c8 nginx-0.0.7-2004-06-21-23:22:53 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	19
f2755a2885c8 nginx-0.0.7-2004-06-21-23:22:53 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	20 for ( ;; ) {
f2755a2885c8 nginx-0.0.7-2004-06-21-23:22:53 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	21
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	22 if (*lock == 0 && ngx_atomic_cmp_set(lock, 0, value)) {
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	23 return;
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	24 }
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	25
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	26 if (ngx_ncpu > 1) {
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	27
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	28 for (n = 1; n < spin; n <<= 1) {
363 f2755a2885c8 nginx-0.0.7-2004-06-21-23:22:53 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	29
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	30 for (i = 0; i < n; i++) {
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	31 ngx_cpu_pause();
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	32 }
363 f2755a2885c8 nginx-0.0.7-2004-06-21-23:22:53 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	33
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	34 if (*lock == 0 && ngx_atomic_cmp_set(lock, 0, value)) {
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	35 return;
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	36 }
363 f2755a2885c8 nginx-0.0.7-2004-06-21-23:22:53 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	37 }
f2755a2885c8 nginx-0.0.7-2004-06-21-23:22:53 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	38 }
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	39
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	40 ngx_sched_yield();
363 f2755a2885c8 nginx-0.0.7-2004-06-21-23:22:53 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	41 }
435 5cdc4838d4e8 nginx-0.0.11-2004-09-22-20:18:21 import Igor Sysoev <igor@sysoev.ru> parents: 373 diff changeset	42
5cdc4838d4e8 nginx-0.0.11-2004-09-22-20:18:21 import Igor Sysoev <igor@sysoev.ru> parents: 373 diff changeset	43 #else
5cdc4838d4e8 nginx-0.0.11-2004-09-22-20:18:21 import Igor Sysoev <igor@sysoev.ru> parents: 373 diff changeset	44
6072 f737e406aa68 Core: guard against spinlock usage without atomic ops. Ruslan Ermilov <ru@nginx.com> parents: 6016 diff changeset	45 #if (NGX_THREADS)
435 5cdc4838d4e8 nginx-0.0.11-2004-09-22-20:18:21 import Igor Sysoev <igor@sysoev.ru> parents: 373 diff changeset	46
5cdc4838d4e8 nginx-0.0.11-2004-09-22-20:18:21 import Igor Sysoev <igor@sysoev.ru> parents: 373 diff changeset	47 #error ngx_spinlock() or ngx_atomic_cmp_set() are not defined !
5cdc4838d4e8 nginx-0.0.11-2004-09-22-20:18:21 import Igor Sysoev <igor@sysoev.ru> parents: 373 diff changeset	48
5cdc4838d4e8 nginx-0.0.11-2004-09-22-20:18:21 import Igor Sysoev <igor@sysoev.ru> parents: 373 diff changeset	49 #endif
5cdc4838d4e8 nginx-0.0.11-2004-09-22-20:18:21 import Igor Sysoev <igor@sysoev.ru> parents: 373 diff changeset	50
5cdc4838d4e8 nginx-0.0.11-2004-09-22-20:18:21 import Igor Sysoev <igor@sysoev.ru> parents: 373 diff changeset	51 #endif
5cdc4838d4e8 nginx-0.0.11-2004-09-22-20:18:21 import Igor Sysoev <igor@sysoev.ru> parents: 373 diff changeset	52
363 f2755a2885c8 nginx-0.0.7-2004-06-21-23:22:53 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	53 }

Mercurial > hg > nginx

annotate src/core/ngx_spinlock.c @ 7360:8f25a44d9add