annotate src/event/ngx_event_openssl.c @ 5115:a29c574d61fa

Status: introduced the "ngx_stat_waiting" counter. And corresponding variable $connections_waiting was added. Previously, waiting connections were counted as the difference between active connections and the sum of reading and writing connections. That made it impossible to count more than one request in one connection as reading or writing (as is the case for SPDY). Also, we no longer count connections in handshake state as waiting.
author Valentin Bartenev <vbart@nginx.com>
date Fri, 15 Mar 2013 20:00:49 +0000
parents bebcc2f837d3
children 23a186e8ca45 35b00bcf72fe
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
441
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 399
diff changeset
1
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 399
diff changeset
2 /*
444
42d11f017717 nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents: 441
diff changeset
3 * Copyright (C) Igor Sysoev
4412
d620f497c50f Copyright updated.
Maxim Konovalov <maxim@nginx.com>
parents: 4400
diff changeset
4 * Copyright (C) Nginx, Inc.
441
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 399
diff changeset
5 */
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 399
diff changeset
6
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
7
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
8 #include <ngx_config.h>
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
9 #include <ngx_core.h>
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
10 #include <ngx_event.h>
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
11
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
12
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
13 typedef struct {
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
14 ngx_uint_t engine; /* unsigned engine:1; */
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
15 } ngx_openssl_conf_t;
479
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 473
diff changeset
16
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
17
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
18 static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
19 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
20 int ret);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
21 static void ngx_ssl_handshake_handler(ngx_event_t *ev);
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
22 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
23 static void ngx_ssl_write_handler(ngx_event_t *wev);
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
24 static void ngx_ssl_read_handler(ngx_event_t *rev);
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
25 static void ngx_ssl_shutdown_handler(ngx_event_t *ev);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
26 static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr,
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
27 ngx_err_t err, char *text);
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
28 static void ngx_ssl_clear_error(ngx_log_t *log);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
29
3992
a1dd9dc754ab A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents: 3962
diff changeset
30 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
31 static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
32 ngx_ssl_session_t *sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
33 static ngx_ssl_session_t *ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
34 u_char *id, int len, int *copy);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
35 static void ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
36 static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
37 ngx_slab_pool_t *shpool, ngx_uint_t n);
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
38 static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
39 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
40
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
41 static void *ngx_openssl_create_conf(ngx_cycle_t *cycle);
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
42 static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
43 static void ngx_openssl_exit(ngx_cycle_t *cycle);
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
44
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
45
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
46 static ngx_command_t ngx_openssl_commands[] = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
47
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
48 { ngx_string("ssl_engine"),
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
49 NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1,
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
50 ngx_openssl_engine,
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
51 0,
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
52 0,
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
53 NULL },
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
54
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
55 ngx_null_command
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
56 };
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
57
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
58
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
59 static ngx_core_module_t ngx_openssl_module_ctx = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
60 ngx_string("openssl"),
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
61 ngx_openssl_create_conf,
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
62 NULL
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
63 };
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
64
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
65
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
66 ngx_module_t ngx_openssl_module = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
67 NGX_MODULE_V1,
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
68 &ngx_openssl_module_ctx, /* module context */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
69 ngx_openssl_commands, /* module directives */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
70 NGX_CORE_MODULE, /* module type */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
71 NULL, /* init master */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
72 NULL, /* init module */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
73 NULL, /* init process */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
74 NULL, /* init thread */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
75 NULL, /* exit thread */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
76 NULL, /* exit process */
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
77 ngx_openssl_exit, /* exit master */
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
78 NGX_MODULE_V1_PADDING
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
79 };
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
80
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
81
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
82 int ngx_ssl_connection_index;
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
83 int ngx_ssl_server_conf_index;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
84 int ngx_ssl_session_cache_index;
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
85 int ngx_ssl_certificate_index;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
86 int ngx_ssl_stapling_index;
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
87
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
88
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
89 ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
90 ngx_ssl_init(ngx_log_t *log)
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
91 {
968
1b60ecc8cdb7 OPENSSL_config()
Igor Sysoev <igor@sysoev.ru>
parents: 671
diff changeset
92 OPENSSL_config(NULL);
1b60ecc8cdb7 OPENSSL_config()
Igor Sysoev <igor@sysoev.ru>
parents: 671
diff changeset
93
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
94 SSL_library_init();
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
95 SSL_load_error_strings();
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
96
3464
7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents: 3457
diff changeset
97 OpenSSL_add_all_algorithms();
7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents: 3457
diff changeset
98
4868
22a6ef66b6f5 SSL: added version checks for ssl compression workaround.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4867
diff changeset
99 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
4696
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
100 #ifndef SSL_OP_NO_COMPRESSION
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
101 {
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
102 /*
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
103 * Disable gzip compression in OpenSSL prior to 1.0.0 version,
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
104 * this saves about 522K per connection.
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
105 */
4867
90bbf2adb2c9 SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4696
diff changeset
106 int n;
4696
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
107 STACK_OF(SSL_COMP) *ssl_comp_methods;
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
108
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
109 ssl_comp_methods = SSL_COMP_get_compression_methods();
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
110 n = sk_SSL_COMP_num(ssl_comp_methods);
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
111
4867
90bbf2adb2c9 SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4696
diff changeset
112 while (n--) {
90bbf2adb2c9 SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4696
diff changeset
113 (void) sk_SSL_COMP_pop(ssl_comp_methods);
4696
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
114 }
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
115 }
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
116 #endif
4868
22a6ef66b6f5 SSL: added version checks for ssl compression workaround.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4867
diff changeset
117 #endif
4696
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
118
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
119 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
120
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
121 if (ngx_ssl_connection_index == -1) {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
122 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed");
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
123 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
124 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
125
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
126 ngx_ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
127 NULL);
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
128 if (ngx_ssl_server_conf_index == -1) {
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
129 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
130 "SSL_CTX_get_ex_new_index() failed");
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
131 return NGX_ERROR;
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
132 }
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
133
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
134 ngx_ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
135 NULL);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
136 if (ngx_ssl_session_cache_index == -1) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
137 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
138 "SSL_CTX_get_ex_new_index() failed");
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
139 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
140 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
141
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
142 ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
143 NULL);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
144 if (ngx_ssl_certificate_index == -1) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
145 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
146 "SSL_CTX_get_ex_new_index() failed");
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
147 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
148 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
149
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
150 ngx_ssl_stapling_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
151 NULL);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
152 if (ngx_ssl_stapling_index == -1) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
153 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
154 "SSL_CTX_get_ex_new_index() failed");
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
155 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
156 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
157
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
158 return NGX_OK;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
159 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
160
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
161
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
162 ngx_int_t
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
163 ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
164 {
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
165 ssl->ctx = SSL_CTX_new(SSLv23_method());
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
166
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
167 if (ssl->ctx == NULL) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
168 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed");
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
169 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
170 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
171
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
172 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) {
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
173 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
174 "SSL_CTX_set_ex_data() failed");
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
175 return NGX_ERROR;
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
176 }
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
177
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
178 /* client side options */
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
179
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
180 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
181 SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
182
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
183 /* server side options */
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
184
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
185 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
186 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
187
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
188 /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
189 SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
190
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
191 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
192 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
193 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
194
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
195 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
196
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
197 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
198
4400
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
199 if (!(protocols & NGX_SSL_SSLv2)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
200 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
201 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
202 if (!(protocols & NGX_SSL_SSLv3)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
203 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
204 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
205 if (!(protocols & NGX_SSL_TLSv1)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
206 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
207 }
4400
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
208 #ifdef SSL_OP_NO_TLSv1_1
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
209 if (!(protocols & NGX_SSL_TLSv1_1)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
210 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
211 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
212 #endif
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
213 #ifdef SSL_OP_NO_TLSv1_2
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
214 if (!(protocols & NGX_SSL_TLSv1_2)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
215 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
216 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
217 #endif
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
218
4185
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents: 4064
diff changeset
219 #ifdef SSL_OP_NO_COMPRESSION
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents: 4064
diff changeset
220 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents: 4064
diff changeset
221 #endif
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents: 4064
diff changeset
222
4186
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents: 4185
diff changeset
223 #ifdef SSL_MODE_RELEASE_BUFFERS
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents: 4185
diff changeset
224 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents: 4185
diff changeset
225 #endif
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents: 4185
diff changeset
226
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
227 SSL_CTX_set_read_ahead(ssl->ctx, 1);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
228
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
229 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
230
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
231 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
232 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
233
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
234
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
235 ngx_int_t
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
236 ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
237 ngx_str_t *key)
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
238 {
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
239 BIO *bio;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
240 X509 *x509;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
241 u_long n;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
242
2536
a6d6d762c554 small optimization: " == NGX_ERROR" > " != NGX_OK"
Igor Sysoev <igor@sysoev.ru>
parents: 2504
diff changeset
243 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
244 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
245 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
246
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
247 /*
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
248 * we can't use SSL_CTX_use_certificate_chain_file() as it doesn't
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
249 * allow to access certificate later from SSL_CTX, so we reimplement
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
250 * it here
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
251 */
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
252
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
253 bio = BIO_new_file((char *) cert->data, "r");
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
254 if (bio == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
255 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
256 "BIO_new_file(\"%s\") failed", cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
257 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
258 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
259
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
260 x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
261 if (x509 == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
262 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
263 "PEM_read_bio_X509_AUX(\"%s\") failed", cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
264 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
265 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
266 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
267
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
268 if (SSL_CTX_use_certificate(ssl->ctx, x509) == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
269 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
270 "SSL_CTX_use_certificate(\"%s\") failed", cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
271 X509_free(x509);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
272 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
273 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
274 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
275
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
276 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, x509)
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
277 == 0)
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
278 {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
279 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
280 "SSL_CTX_set_ex_data() failed");
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
281 return NGX_ERROR;
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
282 }
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
283
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
284 X509_free(x509);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
285
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
286 /* read rest of the chain */
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
287
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
288 for ( ;; ) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
289
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
290 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
291 if (x509 == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
292 n = ERR_peek_last_error();
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
293
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
294 if (ERR_GET_LIB(n) == ERR_LIB_PEM
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
295 && ERR_GET_REASON(n) == PEM_R_NO_START_LINE)
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
296 {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
297 /* end of file */
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
298 ERR_clear_error();
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
299 break;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
300 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
301
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
302 /* some real error */
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
303
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
304 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
305 "PEM_read_bio_X509(\"%s\") failed", cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
306 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
307 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
308 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
309
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
310 if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
311 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
312 "SSL_CTX_add_extra_chain_cert(\"%s\") failed",
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
313 cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
314 X509_free(x509);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
315 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
316 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
317 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
318 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
319
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
320 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
321
2536
a6d6d762c554 small optimization: " == NGX_ERROR" > " != NGX_OK"
Igor Sysoev <igor@sysoev.ru>
parents: 2504
diff changeset
322 if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
323 return NGX_ERROR;
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
324 }
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
325
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
326 if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data,
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
327 SSL_FILETYPE_PEM)
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
328 == 0)
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
329 {
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
330 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
331 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
332 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
333 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
334
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
335 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
336 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
337
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
338
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
339 ngx_int_t
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
340 ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
341 ngx_int_t depth)
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
342 {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
343 STACK_OF(X509_NAME) *list;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
344
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
345 SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_http_ssl_verify_callback);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
346
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
347 SSL_CTX_set_verify_depth(ssl->ctx, depth);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
348
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
349 if (cert->len == 0) {
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
350 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
351 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
352
2536
a6d6d762c554 small optimization: " == NGX_ERROR" > " != NGX_OK"
Igor Sysoev <igor@sysoev.ru>
parents: 2504
diff changeset
353 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
354 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
355 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
356
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
357 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL)
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
358 == 0)
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
359 {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
360 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
361 "SSL_CTX_load_verify_locations(\"%s\") failed",
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
362 cert->data);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
363 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
364 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
365
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
366 list = SSL_load_client_CA_file((char *) cert->data);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
367
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
368 if (list == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
369 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
370 "SSL_load_client_CA_file(\"%s\") failed", cert->data);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
371 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
372 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
373
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
374 /*
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
375 * before 0.9.7h and 0.9.8 SSL_load_client_CA_file()
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
376 * always leaved an error in the error queue
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
377 */
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
378
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
379 ERR_clear_error();
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
380
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
381 SSL_CTX_set_client_CA_list(ssl->ctx, list);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
382
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
383 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
384 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
385
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
386
2995
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
387 ngx_int_t
4872
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
388 ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
389 ngx_int_t depth)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
390 {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
391 SSL_CTX_set_verify_depth(ssl->ctx, depth);
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
392
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
393 if (cert->len == 0) {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
394 return NGX_OK;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
395 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
396
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
397 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
398 return NGX_ERROR;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
399 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
400
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
401 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
402 == 0)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
403 {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
404 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
405 "SSL_CTX_load_verify_locations(\"%s\") failed",
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
406 cert->data);
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
407 return NGX_ERROR;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
408 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
409
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
410 return NGX_OK;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
411 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
412
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
413
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
414 ngx_int_t
2995
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
415 ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl)
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
416 {
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
417 X509_STORE *store;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
418 X509_LOOKUP *lookup;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
419
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
420 if (crl->len == 0) {
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
421 return NGX_OK;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
422 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
423
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
424 if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) {
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
425 return NGX_ERROR;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
426 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
427
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
428 store = SSL_CTX_get_cert_store(ssl->ctx);
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
429
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
430 if (store == NULL) {
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
431 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
432 "SSL_CTX_get_cert_store() failed");
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
433 return NGX_ERROR;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
434 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
435
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
436 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
437
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
438 if (lookup == NULL) {
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
439 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
440 "X509_STORE_add_lookup() failed");
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
441 return NGX_ERROR;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
442 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
443
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
444 if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM)
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
445 == 0)
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
446 {
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
447 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
448 "X509_LOOKUP_load_file(\"%s\") failed", crl->data);
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
449 return NGX_ERROR;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
450 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
451
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
452 X509_STORE_set_flags(store,
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
453 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
454
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
455 return NGX_OK;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
456 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
457
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
458
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
459 static int
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
460 ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
461 {
1977
40c9cb8576bb get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents: 1976
diff changeset
462 #if (NGX_DEBUG)
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
463 char *subject, *issuer;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
464 int err, depth;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
465 X509 *cert;
1976
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
466 X509_NAME *sname, *iname;
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
467 ngx_connection_t *c;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
468 ngx_ssl_conn_t *ssl_conn;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
469
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
470 ssl_conn = X509_STORE_CTX_get_ex_data(x509_store,
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
471 SSL_get_ex_data_X509_STORE_CTX_idx());
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
472
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
473 c = ngx_ssl_get_connection(ssl_conn);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
474
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
475 cert = X509_STORE_CTX_get_current_cert(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
476 err = X509_STORE_CTX_get_error(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
477 depth = X509_STORE_CTX_get_error_depth(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
478
1976
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
479 sname = X509_get_subject_name(cert);
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
480 subject = sname ? X509_NAME_oneline(sname, NULL, 0) : "(none)";
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
481
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
482 iname = X509_get_issuer_name(cert);
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
483 issuer = iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)";
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
484
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
485 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
486 "verify:%d, error:%d, depth:%d, "
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
487 "subject:\"%s\",issuer: \"%s\"",
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
488 ok, err, depth, subject, issuer);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
489
1976
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
490 if (sname) {
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
491 OPENSSL_free(subject);
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
492 }
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
493
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
494 if (iname) {
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
495 OPENSSL_free(issuer);
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
496 }
1977
40c9cb8576bb get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents: 1976
diff changeset
497 #endif
1976
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
498
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
499 return 1;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
500 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
501
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
502
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
503 static void
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
504 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
505 {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
506 ngx_connection_t *c;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
507
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
508 if (where & SSL_CB_HANDSHAKE_START) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
509 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
510
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
511 if (c->ssl->handshaked) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
512 c->ssl->renegotiation = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
513 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
514 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
515 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
516 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
517
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
518
3959
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents: 3851
diff changeset
519 RSA *
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents: 3851
diff changeset
520 ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length)
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
521 {
3959
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents: 3851
diff changeset
522 static RSA *key;
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents: 3851
diff changeset
523
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents: 3851
diff changeset
524 if (key_length == 512) {
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents: 3851
diff changeset
525 if (key == NULL) {
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents: 3851
diff changeset
526 key = RSA_generate_key(512, RSA_F4, NULL, NULL);
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents: 3851
diff changeset
527 }
559
c1f965ef9718 nginx-0.3.1-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 549
diff changeset
528 }
c1f965ef9718 nginx-0.3.1-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 549
diff changeset
529
3959
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents: 3851
diff changeset
530 return key;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
531 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
532
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
533
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
534 ngx_int_t
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
535 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
536 {
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
537 DH *dh;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
538 BIO *bio;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
539
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
540 /*
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
541 * -----BEGIN DH PARAMETERS-----
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
542 * MIGHAoGBALu8LcrYRnSQfEP89YDpz9vZWKP1aLQtSwju1OsPs1BMbAMCducQgAxc
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
543 * y7qokiYUxb7spWWl/fHSh6K8BJvmd4Bg6RqSp1fjBI9osHb302zI8pul34HcLKcl
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
544 * 7OZicMyaUDXYzs7vnqAnSmOrHlj6/UmI0PZdFGdX2gcd8EXP4WubAgEC
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
545 * -----END DH PARAMETERS-----
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
546 */
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
547
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
548 static unsigned char dh1024_p[] = {
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
549 0xBB, 0xBC, 0x2D, 0xCA, 0xD8, 0x46, 0x74, 0x90, 0x7C, 0x43, 0xFC, 0xF5,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
550 0x80, 0xE9, 0xCF, 0xDB, 0xD9, 0x58, 0xA3, 0xF5, 0x68, 0xB4, 0x2D, 0x4B,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
551 0x08, 0xEE, 0xD4, 0xEB, 0x0F, 0xB3, 0x50, 0x4C, 0x6C, 0x03, 0x02, 0x76,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
552 0xE7, 0x10, 0x80, 0x0C, 0x5C, 0xCB, 0xBA, 0xA8, 0x92, 0x26, 0x14, 0xC5,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
553 0xBE, 0xEC, 0xA5, 0x65, 0xA5, 0xFD, 0xF1, 0xD2, 0x87, 0xA2, 0xBC, 0x04,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
554 0x9B, 0xE6, 0x77, 0x80, 0x60, 0xE9, 0x1A, 0x92, 0xA7, 0x57, 0xE3, 0x04,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
555 0x8F, 0x68, 0xB0, 0x76, 0xF7, 0xD3, 0x6C, 0xC8, 0xF2, 0x9B, 0xA5, 0xDF,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
556 0x81, 0xDC, 0x2C, 0xA7, 0x25, 0xEC, 0xE6, 0x62, 0x70, 0xCC, 0x9A, 0x50,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
557 0x35, 0xD8, 0xCE, 0xCE, 0xEF, 0x9E, 0xA0, 0x27, 0x4A, 0x63, 0xAB, 0x1E,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
558 0x58, 0xFA, 0xFD, 0x49, 0x88, 0xD0, 0xF6, 0x5D, 0x14, 0x67, 0x57, 0xDA,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
559 0x07, 0x1D, 0xF0, 0x45, 0xCF, 0xE1, 0x6B, 0x9B
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
560 };
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
561
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
562 static unsigned char dh1024_g[] = { 0x02 };
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
563
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
564
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
565 if (file->len == 0) {
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
566
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
567 dh = DH_new();
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
568 if (dh == NULL) {
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
569 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "DH_new() failed");
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
570 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
571 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
572
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
573 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
574 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
575
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
576 if (dh->p == NULL || dh->g == NULL) {
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
577 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "BN_bin2bn() failed");
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
578 DH_free(dh);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
579 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
580 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
581
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
582 SSL_CTX_set_tmp_dh(ssl->ctx, dh);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
583
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
584 DH_free(dh);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
585
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
586 return NGX_OK;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
587 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
588
2536
a6d6d762c554 small optimization: " == NGX_ERROR" > " != NGX_OK"
Igor Sysoev <igor@sysoev.ru>
parents: 2504
diff changeset
589 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
590 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
591 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
592
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
593 bio = BIO_new_file((char *) file->data, "r");
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
594 if (bio == NULL) {
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
595 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
596 "BIO_new_file(\"%s\") failed", file->data);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
597 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
598 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
599
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
600 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
601 if (dh == NULL) {
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
602 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
603 "PEM_read_bio_DHparams(\"%s\") failed", file->data);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
604 BIO_free(bio);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
605 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
606 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
607
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
608 SSL_CTX_set_tmp_dh(ssl->ctx, dh);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
609
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
610 DH_free(dh);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
611 BIO_free(bio);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
612
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
613 return NGX_OK;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
614 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
615
4522
14411ee4d89f Whitespace fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4499
diff changeset
616
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
617 ngx_int_t
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
618 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
619 {
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
620 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
621 #ifndef OPENSSL_NO_ECDH
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
622 int nid;
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
623 EC_KEY *ecdh;
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
624
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
625 /*
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
626 * Elliptic-Curve Diffie-Hellman parameters are either "named curves"
4572
67653855682e Fixed spelling in multiline C comments.
Ruslan Ermilov <ru@nginx.com>
parents: 4522
diff changeset
627 * from RFC 4492 section 5.1.1, or explicitly described curves over
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
628 * binary fields. OpenSSL only supports the "named curves", which provide
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
629 * maximum interoperability.
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
630 */
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
631
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
632 nid = OBJ_sn2nid((const char *) name->data);
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
633 if (nid == 0) {
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
634 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
635 "Unknown curve name \"%s\"", name->data);
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
636 return NGX_ERROR;
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
637 }
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
638
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
639 ecdh = EC_KEY_new_by_curve_name(nid);
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
640 if (ecdh == NULL) {
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
641 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
642 "Unable to create curve \"%s\"", name->data);
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
643 return NGX_ERROR;
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
644 }
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
645
5003
82234f3f5ca2 SSL: speedup loading of configs with many ssl servers.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4877
diff changeset
646 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
82234f3f5ca2 SSL: speedup loading of configs with many ssl servers.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4877
diff changeset
647
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
648 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh);
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
649
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
650 EC_KEY_free(ecdh);
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
651 #endif
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
652 #endif
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
653
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
654 return NGX_OK;
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
655 }
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
656
4522
14411ee4d89f Whitespace fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4499
diff changeset
657
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
658 ngx_int_t
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
659 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
660 {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
661 ngx_ssl_connection_t *sc;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
662
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
663 sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t));
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
664 if (sc == NULL) {
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
665 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
666 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
667
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
668 sc->buffer = ((flags & NGX_SSL_BUFFER) != 0);
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
669
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
670 sc->connection = SSL_new(ssl->ctx);
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
671
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
672 if (sc->connection == NULL) {
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
673 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_new() failed");
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
674 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
675 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
676
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
677 if (SSL_set_fd(sc->connection, c->fd) == 0) {
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
678 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_fd() failed");
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
679 return NGX_ERROR;
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
680 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
681
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
682 if (flags & NGX_SSL_CLIENT) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
683 SSL_set_connect_state(sc->connection);
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
684
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
685 } else {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
686 SSL_set_accept_state(sc->connection);
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
687 }
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
688
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
689 if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
690 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed");
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
691 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
692 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
693
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
694 c->ssl = sc;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
695
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
696 return NGX_OK;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
697 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
698
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
699
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
700 ngx_int_t
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
701 ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
702 {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
703 if (session) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
704 if (SSL_set_session(c->ssl->connection, session) == 0) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
705 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_session() failed");
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
706 return NGX_ERROR;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
707 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
708 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
709
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
710 return NGX_OK;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
711 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
712
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
713
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
714 ngx_int_t
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
715 ngx_ssl_handshake(ngx_connection_t *c)
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
716 {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
717 int n, sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
718 ngx_err_t err;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
719
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
720 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
721
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
722 n = SSL_do_handshake(c->ssl->connection);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
723
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
724 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
725
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
726 if (n == 1) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
727
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
728 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
729 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
730 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
731
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
732 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
733 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
734 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
735
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
736 #if (NGX_DEBUG)
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
737 {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
738 char buf[129], *s, *d;
3851
033015e01eec fix building on Fedora 14
Igor Sysoev <igor@sysoev.ru>
parents: 3815
diff changeset
739 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
3488
92378c49456d MSVC8 compatibility with OpenSSL 1.0.0
Igor Sysoev <igor@sysoev.ru>
parents: 3464
diff changeset
740 const
92378c49456d MSVC8 compatibility with OpenSSL 1.0.0
Igor Sysoev <igor@sysoev.ru>
parents: 3464
diff changeset
741 #endif
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
742 SSL_CIPHER *cipher;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
743
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
744 cipher = SSL_get_current_cipher(c->ssl->connection);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
745
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
746 if (cipher) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
747 SSL_CIPHER_description(cipher, &buf[1], 128);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
748
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
749 for (s = &buf[1], d = buf; *s; s++) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
750 if (*s == ' ' && *d == ' ') {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
751 continue;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
752 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
753
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
754 if (*s == LF || *s == CR) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
755 continue;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
756 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
757
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
758 *++d = *s;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
759 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
760
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
761 if (*d != ' ') {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
762 d++;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
763 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
764
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
765 *d = '\0';
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
766
583
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
767 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
768 "SSL: %s, cipher: \"%s\"",
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
769 SSL_get_version(c->ssl->connection), &buf[1]);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
770
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
771 if (SSL_session_reused(c->ssl->connection)) {
583
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
772 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
773 "SSL reused session");
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
774 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
775
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
776 } else {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
777 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
778 "SSL no shared ciphers");
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
779 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
780 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
781 #endif
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
782
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
783 c->ssl->handshaked = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
784
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
785 c->recv = ngx_ssl_recv;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
786 c->send = ngx_ssl_write;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
787 c->recv_chain = ngx_ssl_recv_chain;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
788 c->send_chain = ngx_ssl_send_chain;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
789
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
790 /* initial handshake done, disable renegotiation (CVE-2009-3555) */
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
791 if (c->ssl->connection->s3) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
792 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
793 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
794
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
795 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
796 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
797
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
798 sslerr = SSL_get_error(c->ssl->connection, n);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
799
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
800 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
801
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
802 if (sslerr == SSL_ERROR_WANT_READ) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
803 c->read->ready = 0;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
804 c->read->handler = ngx_ssl_handshake_handler;
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
805 c->write->handler = ngx_ssl_handshake_handler;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
806
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
807 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
808 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
809 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
810
5024
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
811 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
812 return NGX_ERROR;
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
813 }
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
814
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
815 return NGX_AGAIN;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
816 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
817
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
818 if (sslerr == SSL_ERROR_WANT_WRITE) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
819 c->write->ready = 0;
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
820 c->read->handler = ngx_ssl_handshake_handler;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
821 c->write->handler = ngx_ssl_handshake_handler;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
822
5024
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
823 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
824 return NGX_ERROR;
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
825 }
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
826
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
827 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
828 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
829 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
830
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
831 return NGX_AGAIN;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
832 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
833
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
834 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
835
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
836 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
837 c->ssl->no_send_shutdown = 1;
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
838 c->read->eof = 1;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
839
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
840 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
841 ngx_log_error(NGX_LOG_INFO, c->log, err,
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
842 "peer closed connection in SSL handshake");
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
843
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
844 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
845 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
846
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
847 c->read->error = 1;
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
848
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
849 ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
850
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
851 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
852 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
853
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
854
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
855 static void
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
856 ngx_ssl_handshake_handler(ngx_event_t *ev)
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
857 {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
858 ngx_connection_t *c;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
859
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
860 c = ev->data;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
861
549
e16a8d574da5 nginx-0.2.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 547
diff changeset
862 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
863 "SSL handshake handler: %d", ev->write);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
864
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
865 if (ev->timedout) {
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
866 c->ssl->handler(c);
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
867 return;
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
868 }
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
869
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
870 if (ngx_ssl_handshake(c) == NGX_AGAIN) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
871 return;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
872 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
873
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
874 c->ssl->handler(c);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
875 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
876
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
877
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
878 ssize_t
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
879 ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl)
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
880 {
1154
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
881 u_char *last;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
882 ssize_t n, bytes;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
883 ngx_buf_t *b;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
884
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
885 bytes = 0;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
886
1154
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
887 b = cl->buf;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
888 last = b->last;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
889
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
890 for ( ;; ) {
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
891
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
892 n = ngx_ssl_recv(c, last, b->end - last);
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
893
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
894 if (n > 0) {
1154
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
895 last += n;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
896 bytes += n;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
897
1154
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
898 if (last == b->end) {
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
899 cl = cl->next;
1154
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
900
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
901 if (cl == NULL) {
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
902 return bytes;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
903 }
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
904
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
905 b = cl->buf;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
906 last = b->last;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
907 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
908
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
909 continue;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
910 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
911
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
912 if (bytes) {
2052
b4085596a7e6 fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents: 2049
diff changeset
913
b4085596a7e6 fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents: 2049
diff changeset
914 if (n == 0 || n == NGX_ERROR) {
b4085596a7e6 fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents: 2049
diff changeset
915 c->read->ready = 1;
b4085596a7e6 fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents: 2049
diff changeset
916 }
b4085596a7e6 fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents: 2049
diff changeset
917
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
918 return bytes;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
919 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
920
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
921 return n;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
922 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
923 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
924
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
925
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
926 ssize_t
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
927 ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size)
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
928 {
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
929 int n, bytes;
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
930
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
931 if (c->ssl->last == NGX_ERROR) {
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
932 c->read->error = 1;
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
933 return NGX_ERROR;
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
934 }
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
935
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
936 if (c->ssl->last == NGX_DONE) {
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
937 c->read->ready = 0;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
938 c->read->eof = 1;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
939 return 0;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
940 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
941
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
942 bytes = 0;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
943
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
944 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
945
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
946 /*
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
947 * SSL_read() may return data in parts, so try to read
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
948 * until SSL_read() would return no data
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
949 */
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
950
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
951 for ( ;; ) {
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
952
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
953 n = SSL_read(c->ssl->connection, buf, size);
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
954
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
955 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n);
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
956
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
957 if (n > 0) {
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
958 bytes += n;
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
959 }
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
960
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
961 c->ssl->last = ngx_ssl_handle_recv(c, n);
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
962
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
963 if (c->ssl->last == NGX_OK) {
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
964
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
965 size -= n;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
966
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
967 if (size == 0) {
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
968 return bytes;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
969 }
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
970
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
971 buf += n;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
972
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
973 continue;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
974 }
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
975
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
976 if (bytes) {
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
977 return bytes;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
978 }
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
979
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
980 switch (c->ssl->last) {
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
981
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
982 case NGX_DONE:
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
983 c->read->ready = 0;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
984 c->read->eof = 1;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
985 return 0;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
986
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
987 case NGX_ERROR:
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
988 c->read->error = 1;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
989
4499
778ef9c3fd2d Fixed spelling in single-line comments.
Ruslan Ermilov <ru@nginx.com>
parents: 4497
diff changeset
990 /* fall through */
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
991
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
992 case NGX_AGAIN:
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
993 return c->ssl->last;
479
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 473
diff changeset
994 }
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
995 }
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
996 }
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
997
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
998
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
999 static ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1000 ngx_ssl_handle_recv(ngx_connection_t *c, int n)
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1001 {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1002 int sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1003 ngx_err_t err;
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1004
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1005 if (c->ssl->renegotiation) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1006 /*
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1007 * disable renegotiation (CVE-2009-3555):
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1008 * OpenSSL (at least up to 0.9.8l) does not handle disabled
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1009 * renegotiation gracefully, so drop connection here
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1010 */
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1011
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1012 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled");
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1013
4236
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
1014 while (ERR_peek_error()) {
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
1015 ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0,
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
1016 "ignoring stale global SSL error");
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
1017 }
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
1018
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
1019 ERR_clear_error();
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
1020
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1021 c->ssl->no_wait_shutdown = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1022 c->ssl->no_send_shutdown = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1023
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1024 return NGX_ERROR;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1025 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1026
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1027 if (n > 0) {
479
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 473
diff changeset
1028
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1029 if (c->ssl->saved_write_handler) {
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1030
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1031 c->write->handler = c->ssl->saved_write_handler;
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1032 c->ssl->saved_write_handler = NULL;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1033 c->write->ready = 1;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1034
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1035 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1036 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1037 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1038
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
1039 ngx_post_event(c->write, &ngx_posted_events);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1040 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1041
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1042 return NGX_OK;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1043 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1044
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1045 sslerr = SSL_get_error(c->ssl->connection, n);
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1046
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1047 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1048
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1049 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1050
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1051 if (sslerr == SSL_ERROR_WANT_READ) {
455
295d97d70c69 nginx-0.1.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 452
diff changeset
1052 c->read->ready = 0;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1053 return NGX_AGAIN;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1054 }
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1055
445
f26432a1935a nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
1056 if (sslerr == SSL_ERROR_WANT_WRITE) {
539
371c1cee100d nginx-0.1.44-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 513
diff changeset
1057
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1058 ngx_log_error(NGX_LOG_INFO, c->log, 0,
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1059 "peer started SSL renegotiation");
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1060
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1061 c->write->ready = 0;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1062
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1063 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1064 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1065 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1066
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1067 /*
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1068 * we do not set the timer because there is already the read event timer
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1069 */
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1070
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1071 if (c->ssl->saved_write_handler == NULL) {
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1072 c->ssl->saved_write_handler = c->write->handler;
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1073 c->write->handler = ngx_ssl_write_handler;
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1074 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1075
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1076 return NGX_AGAIN;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1077 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1078
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1079 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1080 c->ssl->no_send_shutdown = 1;
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1081
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1082 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1083 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1084 "peer shutdown SSL cleanly");
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1085 return NGX_DONE;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1086 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1087
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1088 ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed");
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1089
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1090 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1091 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1092
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1093
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1094 static void
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1095 ngx_ssl_write_handler(ngx_event_t *wev)
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1096 {
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1097 ngx_connection_t *c;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1098
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1099 c = wev->data;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1100
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1101 c->read->handler(c->read);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1102 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1103
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1104
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1105 /*
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1106 * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1107 * before the SSL_write() call to decrease a SSL overhead.
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1108 *
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1109 * Besides for protocols such as HTTP it is possible to always buffer
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1110 * the output to decrease a SSL overhead some more.
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1111 */
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1112
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1113 ngx_chain_t *
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1114 ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1115 {
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1116 int n;
399
4e21d1291a14 nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents: 398
diff changeset
1117 ngx_uint_t flush;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1118 ssize_t send, size;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1119 ngx_buf_t *buf;
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1120
2280
6453161bf53e always use buffer, if connection is buffered,
Igor Sysoev <igor@sysoev.ru>
parents: 2165
diff changeset
1121 if (!c->ssl->buffer) {
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1122
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1123 while (in) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1124 if (ngx_buf_special(in->buf)) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1125 in = in->next;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1126 continue;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1127 }
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1128
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1129 n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos);
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1130
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1131 if (n == NGX_ERROR) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1132 return NGX_CHAIN_ERROR;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1133 }
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1134
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1135 if (n == NGX_AGAIN) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1136 return in;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1137 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1138
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1139 in->buf->pos += n;
4629
e813c113ef19 Update c->sent in ngx_ssl_send_chain() even if SSL buffer is not used.
Valentin Bartenev <vbart@nginx.com>
parents: 4572
diff changeset
1140 c->sent += n;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1141
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1142 if (in->buf->pos == in->buf->last) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1143 in = in->next;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1144 }
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1145 }
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1146
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1147 return in;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1148 }
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1149
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1150
3962
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents: 3961
diff changeset
1151 /* the maximum limit size is the maximum int32_t value - the page size */
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents: 3961
diff changeset
1152
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents: 3961
diff changeset
1153 if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) {
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents: 3961
diff changeset
1154 limit = NGX_MAX_INT32_VALUE - ngx_pagesize;
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1155 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1156
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1157 buf = c->ssl->buf;
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1158
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1159 if (buf == NULL) {
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1160 buf = ngx_create_temp_buf(c->pool, NGX_SSL_BUFSIZE);
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1161 if (buf == NULL) {
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1162 return NGX_CHAIN_ERROR;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1163 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1164
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1165 c->ssl->buf = buf;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1166 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1167
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1168 if (buf->start == NULL) {
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1169 buf->start = ngx_palloc(c->pool, NGX_SSL_BUFSIZE);
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1170 if (buf->start == NULL) {
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1171 return NGX_CHAIN_ERROR;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1172 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1173
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1174 buf->pos = buf->start;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1175 buf->last = buf->start;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1176 buf->end = buf->start + NGX_SSL_BUFSIZE;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1177 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1178
5023
70a35b7b63ea SSL: take into account data in the buffer while limiting output.
Valentin Bartenev <vbart@nginx.com>
parents: 5022
diff changeset
1179 send = buf->last - buf->pos;
5020
587dbe2edc5f SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents: 5019
diff changeset
1180 flush = (in == NULL) ? 1 : buf->flush;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1181
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1182 for ( ;; ) {
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1183
3283
52b1624b93c2 fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents: 3159
diff changeset
1184 while (in && buf->last < buf->end && send < limit) {
583
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
1185 if (in->buf->last_buf || in->buf->flush) {
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1186 flush = 1;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1187 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1188
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1189 if (ngx_buf_special(in->buf)) {
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1190 in = in->next;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1191 continue;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1192 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1193
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1194 size = in->buf->last - in->buf->pos;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1195
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1196 if (size > buf->end - buf->last) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1197 size = buf->end - buf->last;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1198 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1199
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1200 if (send + size > limit) {
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1201 size = (ssize_t) (limit - send);
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1202 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1203
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1204 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1205 "SSL buf copy: %d", size);
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1206
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1207 ngx_memcpy(buf->last, in->buf->pos, size);
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1208
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1209 buf->last += size;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1210 in->buf->pos += size;
3283
52b1624b93c2 fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents: 3159
diff changeset
1211 send += size;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1212
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1213 if (in->buf->pos == in->buf->last) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1214 in = in->next;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1215 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1216 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1217
5020
587dbe2edc5f SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents: 5019
diff changeset
1218 if (!flush && send < limit && buf->last < buf->end) {
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1219 break;
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1220 }
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1221
5021
674f8739e443 SSL: calculation of buffer size moved closer to its usage.
Valentin Bartenev <vbart@nginx.com>
parents: 5020
diff changeset
1222 size = buf->last - buf->pos;
674f8739e443 SSL: calculation of buffer size moved closer to its usage.
Valentin Bartenev <vbart@nginx.com>
parents: 5020
diff changeset
1223
5022
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
1224 if (size == 0) {
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
1225 buf->flush = 0;
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
1226 c->buffered &= ~NGX_SSL_BUFFERED;
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
1227 return in;
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
1228 }
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
1229
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1230 n = ngx_ssl_write(c, buf->pos, size);
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1231
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1232 if (n == NGX_ERROR) {
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
1233 return NGX_CHAIN_ERROR;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1234 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1235
511
c12967aadd87 nginx-0.1.30-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 509
diff changeset
1236 if (n == NGX_AGAIN) {
5020
587dbe2edc5f SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents: 5019
diff changeset
1237 break;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1238 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1239
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1240 buf->pos += n;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1241 c->sent += n;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1242
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1243 if (n < size) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1244 break;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1245 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1246
5019
69693a098655 SSL: resetting of flush flag after the data was written.
Valentin Bartenev <vbart@nginx.com>
parents: 5018
diff changeset
1247 flush = 0;
69693a098655 SSL: resetting of flush flag after the data was written.
Valentin Bartenev <vbart@nginx.com>
parents: 5018
diff changeset
1248
5018
0ea36741bb35 SSL: removed conditions that always hold true.
Valentin Bartenev <vbart@nginx.com>
parents: 5003
diff changeset
1249 buf->pos = buf->start;
0ea36741bb35 SSL: removed conditions that always hold true.
Valentin Bartenev <vbart@nginx.com>
parents: 5003
diff changeset
1250 buf->last = buf->start;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1251
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1252 if (in == NULL || send == limit) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1253 break;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1254 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1255 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1256
5020
587dbe2edc5f SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents: 5019
diff changeset
1257 buf->flush = flush;
587dbe2edc5f SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents: 5019
diff changeset
1258
597
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
1259 if (buf->pos < buf->last) {
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
1260 c->buffered |= NGX_SSL_BUFFERED;
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
1261
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
1262 } else {
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
1263 c->buffered &= ~NGX_SSL_BUFFERED;
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
1264 }
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1265
399
4e21d1291a14 nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents: 398
diff changeset
1266 return in;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1267 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1268
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1269
539
371c1cee100d nginx-0.1.44-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 513
diff changeset
1270 ssize_t
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1271 ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size)
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1272 {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1273 int n, sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1274 ngx_err_t err;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1275
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1276 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1277
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1278 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %d", size);
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1279
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1280 n = SSL_write(c->ssl->connection, data, size);
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1281
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1282 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n);
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1283
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1284 if (n > 0) {
539
371c1cee100d nginx-0.1.44-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 513
diff changeset
1285
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1286 if (c->ssl->saved_read_handler) {
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1287
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1288 c->read->handler = c->ssl->saved_read_handler;
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1289 c->ssl->saved_read_handler = NULL;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1290 c->read->ready = 1;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1291
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1292 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1293 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1294 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1295
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
1296 ngx_post_event(c->read, &ngx_posted_events);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1297 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1298
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1299 return n;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1300 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1301
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1302 sslerr = SSL_get_error(c->ssl->connection, n);
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1303
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1304 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1305
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1306 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1307
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1308 if (sslerr == SSL_ERROR_WANT_WRITE) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1309 c->write->ready = 0;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1310 return NGX_AGAIN;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1311 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1312
445
f26432a1935a nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
1313 if (sslerr == SSL_ERROR_WANT_READ) {
452
23fb87bddda1 nginx-0.1.1-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 445
diff changeset
1314
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1315 ngx_log_error(NGX_LOG_INFO, c->log, 0,
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1316 "peer started SSL renegotiation");
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1317
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1318 c->read->ready = 0;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1319
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1320 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1321 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1322 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1323
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1324 /*
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1325 * we do not set the timer because there is already
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1326 * the write event timer
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1327 */
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1328
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1329 if (c->ssl->saved_read_handler == NULL) {
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1330 c->ssl->saved_read_handler = c->read->handler;
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1331 c->read->handler = ngx_ssl_read_handler;
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1332 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1333
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1334 return NGX_AGAIN;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1335 }
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1336
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1337 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1338 c->ssl->no_send_shutdown = 1;
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1339 c->write->error = 1;
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1340
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1341 ngx_ssl_connection_error(c, sslerr, err, "SSL_write() failed");
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1342
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1343 return NGX_ERROR;
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1344 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1345
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1346
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1347 static void
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1348 ngx_ssl_read_handler(ngx_event_t *rev)
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1349 {
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1350 ngx_connection_t *c;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1351
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1352 c = rev->data;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1353
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1354 c->write->handler(c->write);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1355 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1356
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1357
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1358 void
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1359 ngx_ssl_free_buffer(ngx_connection_t *c)
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1360 {
1795
3a0132e2be2c fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents: 1779
diff changeset
1361 if (c->ssl->buf && c->ssl->buf->start) {
3a0132e2be2c fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents: 1779
diff changeset
1362 if (ngx_pfree(c->pool, c->ssl->buf->start) == NGX_OK) {
3a0132e2be2c fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents: 1779
diff changeset
1363 c->ssl->buf->start = NULL;
3a0132e2be2c fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents: 1779
diff changeset
1364 }
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1365 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1366 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1367
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1368
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1369 ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1370 ngx_ssl_shutdown(ngx_connection_t *c)
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1371 {
1754
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1372 int n, sslerr, mode;
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1373 ngx_err_t err;
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1374
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1375 if (c->timedout) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1376 mode = SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN;
4064
5b776ad53c3c Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
1377 SSL_set_quiet_shutdown(c->ssl->connection, 1);
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1378
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1379 } else {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1380 mode = SSL_get_shutdown(c->ssl->connection);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
1381
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1382 if (c->ssl->no_wait_shutdown) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1383 mode |= SSL_RECEIVED_SHUTDOWN;
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1384 }
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1385
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1386 if (c->ssl->no_send_shutdown) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1387 mode |= SSL_SENT_SHUTDOWN;
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1388 }
4064
5b776ad53c3c Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
1389
5b776ad53c3c Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
1390 if (c->ssl->no_wait_shutdown && c->ssl->no_send_shutdown) {
5b776ad53c3c Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
1391 SSL_set_quiet_shutdown(c->ssl->connection, 1);
5b776ad53c3c Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
1392 }
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1393 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1394
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1395 SSL_set_shutdown(c->ssl->connection, mode);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1396
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1397 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1398
1754
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1399 n = SSL_shutdown(c->ssl->connection);
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1400
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1401 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n);
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1402
461
a88a3e4e158f nginx-0.1.5-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 455
diff changeset
1403 sslerr = 0;
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1404
1860
a1f00736852e grammar fix
Igor Sysoev <igor@sysoev.ru>
parents: 1795
diff changeset
1405 /* SSL_shutdown() never returns -1, on error it returns 0 */
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1406
1865
4bcbb0fe5c8d fix bogus crit log message "SSL_shutdown() failed" introduced in r1755
Igor Sysoev <igor@sysoev.ru>
parents: 1861
diff changeset
1407 if (n != 1 && ERR_peek_error()) {
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1408 sslerr = SSL_get_error(c->ssl->connection, n);
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1409
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1410 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
1411 "SSL_get_error: %d", sslerr);
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1412 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1413
1865
4bcbb0fe5c8d fix bogus crit log message "SSL_shutdown() failed" introduced in r1755
Igor Sysoev <igor@sysoev.ru>
parents: 1861
diff changeset
1414 if (n == 1 || sslerr == 0 || sslerr == SSL_ERROR_ZERO_RETURN) {
1754
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1415 SSL_free(c->ssl->connection);
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1416 c->ssl = NULL;
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1417
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1418 return NGX_OK;
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1419 }
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1420
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1421 if (sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE) {
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1422 c->read->handler = ngx_ssl_shutdown_handler;
589
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
1423 c->write->handler = ngx_ssl_shutdown_handler;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1424
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1425 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1426 return NGX_ERROR;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1427 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1428
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1429 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1430 return NGX_ERROR;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1431 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1432
1754
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents: 1743
diff changeset
1433 if (sslerr == SSL_ERROR_WANT_READ) {
589
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
1434 ngx_add_timer(c->read, 30000);
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
1435 }
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
1436
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1437 return NGX_AGAIN;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1438 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1439
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1440 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1441
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1442 ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed");
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1443
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1444 SSL_free(c->ssl->connection);
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1445 c->ssl = NULL;
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
1446
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1447 return NGX_ERROR;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1448 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1449
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
1450
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1451 static void
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1452 ngx_ssl_shutdown_handler(ngx_event_t *ev)
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1453 {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1454 ngx_connection_t *c;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1455 ngx_connection_handler_pt handler;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1456
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1457 c = ev->data;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1458 handler = c->ssl->handler;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1459
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1460 if (ev->timedout) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1461 c->timedout = 1;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1462 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1463
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1464 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler");
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1465
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1466 if (ngx_ssl_shutdown(c) == NGX_AGAIN) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1467 return;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1468 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1469
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1470 handler(c);
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1471 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1472
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1473
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1474 static void
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1475 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1476 char *text)
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1477 {
1876
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1478 int n;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1479 ngx_uint_t level;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1480
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1481 level = NGX_LOG_CRIT;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1482
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1483 if (sslerr == SSL_ERROR_SYSCALL) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1484
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1485 if (err == NGX_ECONNRESET
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1486 || err == NGX_EPIPE
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1487 || err == NGX_ENOTCONN
589
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
1488 || err == NGX_ETIMEDOUT
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1489 || err == NGX_ECONNREFUSED
1869
192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents: 1868
diff changeset
1490 || err == NGX_ENETDOWN
192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents: 1868
diff changeset
1491 || err == NGX_ENETUNREACH
192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents: 1868
diff changeset
1492 || err == NGX_EHOSTDOWN
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1493 || err == NGX_EHOSTUNREACH)
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1494 {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1495 switch (c->log_error) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1496
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1497 case NGX_ERROR_IGNORE_ECONNRESET:
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1498 case NGX_ERROR_INFO:
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1499 level = NGX_LOG_INFO;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1500 break;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1501
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1502 case NGX_ERROR_ERR:
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1503 level = NGX_LOG_ERR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1504 break;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1505
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1506 default:
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1507 break;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1508 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1509 }
1876
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1510
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1511 } else if (sslerr == SSL_ERROR_SSL) {
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1512
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1513 n = ERR_GET_REASON(ERR_peek_error());
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1514
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1515 /* handshake failures */
4228
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1516 if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1517 || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */
3718
bfd84b583868 decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3516
diff changeset
1518 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */
4228
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1519 || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1520 || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */
3455
028f0892e0cd decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3357
diff changeset
1521 || n == SSL_R_LENGTH_MISMATCH /* 159 */
2315
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1522 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */
3455
028f0892e0cd decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3357
diff changeset
1523 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */
4228
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1524 || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */
2315
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1525 || n == SSL_R_NO_SHARED_CIPHER /* 193 */
3455
028f0892e0cd decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3357
diff changeset
1526 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
4228
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1527 #ifdef SSL_R_PARSE_TLSEXT
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1528 || n == SSL_R_PARSE_TLSEXT /* 227 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1529 #endif
2315
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1530 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1531 || n == SSL_R_UNEXPECTED_RECORD /* 245 */
3455
028f0892e0cd decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3357
diff changeset
1532 || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */
3357
fc735aa50b8b decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3300
diff changeset
1533 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */
2315
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1534 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1535 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */
4228
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1536 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1537 || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG /* 335 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1538 || n == SSL_R_RENEGOTIATION_ENCODING_ERR /* 336 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1539 || n == SSL_R_RENEGOTIATION_MISMATCH /* 337 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1540 #endif
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1541 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1542 || n == SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED /* 338 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1543 #endif
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1544 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1545 || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
1546 #endif
1877
a55876dff8f5 low SSL handshake close notify alert error level
Igor Sysoev <igor@sysoev.ru>
parents: 1876
diff changeset
1547 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
2315
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1548 || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1549 || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1550 || n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1551 || n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1552 || n == SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE /* 1030 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1553 || n == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE /* 1040 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1554 || n == SSL_R_SSLV3_ALERT_NO_CERTIFICATE /* 1041 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1555 || n == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE /* 1042 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1556 || n == SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE /* 1043 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1557 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED /* 1044 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1558 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED /* 1045 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1559 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN /* 1046 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1560 || n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER /* 1047 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1561 || n == SSL_R_TLSV1_ALERT_UNKNOWN_CA /* 1048 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1562 || n == SSL_R_TLSV1_ALERT_ACCESS_DENIED /* 1049 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1563 || n == SSL_R_TLSV1_ALERT_DECODE_ERROR /* 1050 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1564 || n == SSL_R_TLSV1_ALERT_DECRYPT_ERROR /* 1051 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1565 || n == SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION /* 1060 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1566 || n == SSL_R_TLSV1_ALERT_PROTOCOL_VERSION /* 1070 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1567 || n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1568 || n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1569 || n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
1570 || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION) /* 1100 */
1876
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1571 {
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1572 switch (c->log_error) {
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1573
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1574 case NGX_ERROR_IGNORE_ECONNRESET:
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1575 case NGX_ERROR_INFO:
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1576 level = NGX_LOG_INFO;
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1577 break;
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1578
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1579 case NGX_ERROR_ERR:
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1580 level = NGX_LOG_ERR;
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1581 break;
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1582
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1583 default:
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1584 break;
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1585 }
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
1586 }
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1587 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1588
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1589 ngx_ssl_error(level, c->log, err, text);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1590 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1591
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1592
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1593 static void
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1594 ngx_ssl_clear_error(ngx_log_t *log)
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1595 {
1868
c2cd0720f292 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1865
diff changeset
1596 while (ERR_peek_error()) {
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1597 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error");
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1598 }
1868
c2cd0720f292 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1865
diff changeset
1599
c2cd0720f292 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1865
diff changeset
1600 ERR_clear_error();
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1601 }
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1602
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1603
583
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
1604 void ngx_cdecl
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
1605 ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...)
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1606 {
4877
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1607 int flags;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1608 u_long n;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1609 va_list args;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1610 u_char *p, *last;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1611 u_char errstr[NGX_MAX_CONF_ERRSTR];
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1612 const char *data;
461
a88a3e4e158f nginx-0.1.5-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 455
diff changeset
1613
a88a3e4e158f nginx-0.1.5-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 455
diff changeset
1614 last = errstr + NGX_MAX_CONF_ERRSTR;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1615
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1616 va_start(args, fmt);
2764
d4a717592877 use ngx_vslprintf(), ngx_slprintf()
Igor Sysoev <igor@sysoev.ru>
parents: 2720
diff changeset
1617 p = ngx_vslprintf(errstr, last - 1, fmt, args);
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1618 va_end(args);
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1619
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1620 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1621
1861
f00b30557c81 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1860
diff changeset
1622 for ( ;; ) {
583
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
1623
4877
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1624 n = ERR_peek_error_line_data(NULL, NULL, &data, &flags);
583
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
1625
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
1626 if (n == 0) {
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
1627 break;
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
1628 }
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1629
1861
f00b30557c81 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1860
diff changeset
1630 if (p >= last) {
4877
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1631 goto next;
1861
f00b30557c81 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1860
diff changeset
1632 }
f00b30557c81 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1860
diff changeset
1633
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1634 *p++ = ' ';
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1635
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1636 ERR_error_string_n(n, (char *) p, last - p);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1637
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1638 while (p < last && *p) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1639 p++;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1640 }
4877
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1641
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1642 if (p < last && *data && (flags & ERR_TXT_STRING)) {
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1643 *p++ = ':';
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1644 p = ngx_cpystrn(p, (u_char *) data, last - p);
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1645 }
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1646
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1647 next:
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1648
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
1649 (void) ERR_get_error();
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1650 }
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1651
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1652 ngx_log_error(level, log, err, "%s)", errstr);
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1653 }
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1654
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
1655
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1656 ngx_int_t
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1657 ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1658 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1659 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1660 long cache_mode;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1661
1778
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1760
diff changeset
1662 if (builtin_session_cache == NGX_SSL_NO_SCACHE) {
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1760
diff changeset
1663 SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF);
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1760
diff changeset
1664 return NGX_OK;
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1760
diff changeset
1665 }
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1760
diff changeset
1666
3457
17706823a57e Set SSL session context for "ssl_session_cache none".
Igor Sysoev <igor@sysoev.ru>
parents: 3455
diff changeset
1667 SSL_CTX_set_session_id_context(ssl->ctx, sess_ctx->data, sess_ctx->len);
17706823a57e Set SSL session context for "ssl_session_cache none".
Igor Sysoev <igor@sysoev.ru>
parents: 3455
diff changeset
1668
2032
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1669 if (builtin_session_cache == NGX_SSL_NONE_SCACHE) {
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1670
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1671 /*
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1672 * If the server explicitly says that it does not support
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1673 * session reuse (see SSL_SESS_CACHE_OFF above), then
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1674 * Outlook Express fails to upload a sent email to
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1675 * the Sent Items folder on the IMAP server via a separate IMAP
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1676 * connection in the background. Therefore we have a special
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1677 * mode (SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE)
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1678 * where the server pretends that it supports session reuse,
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1679 * but it does not actually store any session.
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1680 */
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1681
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1682 SSL_CTX_set_session_cache_mode(ssl->ctx,
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1683 SSL_SESS_CACHE_SERVER
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1684 |SSL_SESS_CACHE_NO_AUTO_CLEAR
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1685 |SSL_SESS_CACHE_NO_INTERNAL_STORE);
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1686
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1687 SSL_CTX_sess_set_cache_size(ssl->ctx, 1);
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1688
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1689 return NGX_OK;
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1690 }
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
1691
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1692 cache_mode = SSL_SESS_CACHE_SERVER;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1693
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1694 if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1695 cache_mode |= SSL_SESS_CACHE_NO_INTERNAL;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1696 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1697
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1698 SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1699
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1700 if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1701
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1702 if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1703 SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1704 }
1015
32ebb6b13ff3 ssl_session_timeout was set only if builtin cache was used
Igor Sysoev <igor@sysoev.ru>
parents: 1014
diff changeset
1705 }
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1706
2710
218ee852de73 fix building by MSVC8
Igor Sysoev <igor@sysoev.ru>
parents: 2611
diff changeset
1707 SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1708
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1709 if (shm_zone) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1710 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1711 SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1712 SSL_CTX_sess_set_remove_cb(ssl->ctx, ngx_ssl_remove_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1713
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1714 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_cache_index, shm_zone)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1715 == 0)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1716 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1717 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1718 "SSL_CTX_set_ex_data() failed");
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1719 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1720 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1721 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1722
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1723 return NGX_OK;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1724 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1725
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1726
3992
a1dd9dc754ab A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents: 3962
diff changeset
1727 ngx_int_t
993
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
1728 ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data)
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1729 {
2611
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
1730 size_t len;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1731 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1732 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1733
993
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
1734 if (data) {
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
1735 shm_zone->data = data;
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
1736 return NGX_OK;
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
1737 }
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
1738
2720
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
1739 if (shm_zone->shm.exists) {
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
1740 shm_zone->data = data;
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
1741 return NGX_OK;
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
1742 }
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
1743
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1744 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1745
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1746 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t));
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1747 if (cache == NULL) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1748 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1749 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1750
2720
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
1751 shpool->data = cache;
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
1752 shm_zone->data = cache;
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
1753
1759
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
1754 ngx_rbtree_init(&cache->session_rbtree, &cache->sentinel,
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
1755 ngx_ssl_session_rbtree_insert_value);
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
1756
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
1757 ngx_queue_init(&cache->expire_queue);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1758
2716
d5896f6608e8 move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2710
diff changeset
1759 len = sizeof(" in SSL session shared cache \"\"") + shm_zone->shm.name.len;
2611
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
1760
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
1761 shpool->log_ctx = ngx_slab_alloc(shpool, len);
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
1762 if (shpool->log_ctx == NULL) {
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
1763 return NGX_ERROR;
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
1764 }
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
1765
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
1766 ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z",
2716
d5896f6608e8 move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2710
diff changeset
1767 &shm_zone->shm.name);
2611
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
1768
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1769 return NGX_OK;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1770 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1771
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1772
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1773 /*
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
1774 * The length of the session id is 16 bytes for SSLv2 sessions and
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
1775 * between 1 and 32 bytes for SSLv3/TLSv1, typically 32 bytes.
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
1776 * It seems that the typical length of the external ASN1 representation
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
1777 * of a session is 118 or 119 bytes for SSLv3/TSLv1.
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1778 *
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1779 * Thus on 32-bit platforms we allocate separately an rbtree node,
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1780 * a session id, and an ASN1 representation, they take accordingly
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1781 * 64, 32, and 128 bytes.
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1782 *
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1783 * On 64-bit platforms we allocate separately an rbtree node + session_id,
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1784 * and an ASN1 representation, they take accordingly 128 and 128 bytes.
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
1785 *
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1786 * OpenSSL's i2d_SSL_SESSION() and d2i_SSL_SESSION are slow,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1787 * so they are outside the code locked by shared pool mutex
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1788 */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1789
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1790 static int
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1791 ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1792 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1793 int len;
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
1794 u_char *p, *id, *cached_sess;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1795 uint32_t hash;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1796 SSL_CTX *ssl_ctx;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1797 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1798 ngx_connection_t *c;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1799 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1800 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1801 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1802 u_char buf[NGX_SSL_MAX_SESSION_SIZE];
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1803
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1804 len = i2d_SSL_SESSION(sess, NULL);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1805
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1806 /* do not cache too big session */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1807
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1808 if (len > (int) NGX_SSL_MAX_SESSION_SIZE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1809 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1810 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1811
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1812 p = buf;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1813 i2d_SSL_SESSION(sess, &p);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1814
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1815 c = ngx_ssl_get_connection(ssl_conn);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1816
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1817 ssl_ctx = SSL_get_SSL_CTX(ssl_conn);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1818 shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1819
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1820 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1821 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1822
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1823 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1824
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1825 /* drop one or two expired sessions */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1826 ngx_ssl_expire_sessions(cache, shpool, 1);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1827
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
1828 cached_sess = ngx_slab_alloc_locked(shpool, len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1829
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1830 if (cached_sess == NULL) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1831
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1832 /* drop the oldest non-expired session and try once more */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1833
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1834 ngx_ssl_expire_sessions(cache, shpool, 0);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1835
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
1836 cached_sess = ngx_slab_alloc_locked(shpool, len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1837
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1838 if (cached_sess == NULL) {
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1839 sess_id = NULL;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1840 goto failed;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1841 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1842 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1843
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1844 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t));
5081
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1845
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1846 if (sess_id == NULL) {
5081
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1847
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1848 /* drop the oldest non-expired session and try once more */
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1849
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1850 ngx_ssl_expire_sessions(cache, shpool, 0);
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1851
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1852 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t));
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1853
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1854 if (sess_id == NULL) {
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1855 goto failed;
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1856 }
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1857 }
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1858
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1859 #if (NGX_PTR_SIZE == 8)
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1860
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1861 id = sess_id->sess_id;
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1862
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1863 #else
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1864
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1865 id = ngx_slab_alloc_locked(shpool, sess->session_id_length);
5081
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1866
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1867 if (id == NULL) {
5081
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1868
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1869 /* drop the oldest non-expired session and try once more */
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1870
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1871 ngx_ssl_expire_sessions(cache, shpool, 0);
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1872
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1873 id = ngx_slab_alloc_locked(shpool, sess->session_id_length);
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1874
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1875 if (id == NULL) {
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1876 goto failed;
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
1877 }
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1878 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1879
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1880 #endif
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1881
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
1882 ngx_memcpy(cached_sess, buf, len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1883
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1884 ngx_memcpy(id, sess->session_id, sess->session_id_length);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1885
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1886 hash = ngx_crc32_short(sess->session_id, sess->session_id_length);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1887
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1888 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
3155
e720c4a68ee0 fix debug log message
Igor Sysoev <igor@sysoev.ru>
parents: 3154
diff changeset
1889 "ssl new session: %08XD:%d:%d",
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1890 hash, sess->session_id_length, len);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1891
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1892 sess_id->node.key = hash;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1893 sess_id->node.data = (u_char) sess->session_id_length;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1894 sess_id->id = id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1895 sess_id->len = len;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1896 sess_id->session = cached_sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1897
1757
7ab8bd535eed use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents: 1756
diff changeset
1898 sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1899
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
1900 ngx_queue_insert_head(&cache->expire_queue, &sess_id->queue);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1901
1759
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
1902 ngx_rbtree_insert(&cache->session_rbtree, &sess_id->node);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1903
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1904 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1905
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1906 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1907
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1908 failed:
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1909
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1910 if (cached_sess) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1911 ngx_slab_free_locked(shpool, cached_sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1912 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1913
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1914 if (sess_id) {
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
1915 ngx_slab_free_locked(shpool, sess_id);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1916 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1917
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1918 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1919
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1920 ngx_log_error(NGX_LOG_ALERT, c->log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1921 "could not add new SSL session to the session cache");
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1922
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1923 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1924 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1925
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1926
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1927 static ngx_ssl_session_t *
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1928 ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, u_char *id, int len,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1929 int *copy)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1930 {
989
5595e47d4f17 d2i_SSL_SESSION() was changed in 0.9.7f
Igor Sysoev <igor@sysoev.ru>
parents: 974
diff changeset
1931 #if OPENSSL_VERSION_NUMBER >= 0x0090707fL
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1932 const
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1933 #endif
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1934 u_char *p;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1935 uint32_t hash;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
1936 ngx_int_t rc;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1937 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1938 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1939 ngx_rbtree_node_t *node, *sentinel;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1940 ngx_ssl_session_t *sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1941 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1942 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1943 u_char buf[NGX_SSL_MAX_SESSION_SIZE];
3961
4048aa055411 fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents: 3960
diff changeset
1944 #if (NGX_DEBUG)
4048aa055411 fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents: 3960
diff changeset
1945 ngx_connection_t *c;
4048aa055411 fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents: 3960
diff changeset
1946 #endif
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1947
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
1948 hash = ngx_crc32_short(id, (size_t) len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1949 *copy = 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1950
3961
4048aa055411 fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents: 3960
diff changeset
1951 #if (NGX_DEBUG)
4048aa055411 fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents: 3960
diff changeset
1952 c = ngx_ssl_get_connection(ssl_conn);
4048aa055411 fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents: 3960
diff changeset
1953
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1954 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
3155
e720c4a68ee0 fix debug log message
Igor Sysoev <igor@sysoev.ru>
parents: 3154
diff changeset
1955 "ssl get session: %08XD:%d", hash, len);
3961
4048aa055411 fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents: 3960
diff changeset
1956 #endif
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1957
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1958 shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn),
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1959 ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1960
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1961 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1962
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1963 sess = NULL;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1964
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1965 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1966
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1967 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1968
1759
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
1969 node = cache->session_rbtree.root;
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
1970 sentinel = cache->session_rbtree.sentinel;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1971
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1972 while (node != sentinel) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1973
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1974 if (hash < node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1975 node = node->left;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1976 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1977 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1978
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1979 if (hash > node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1980 node = node->right;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1981 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1982 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1983
1013
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
1984 /* hash == node->key */
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
1985
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
1986 sess_id = (ngx_ssl_sess_id_t *) node;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
1987
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
1988 rc = ngx_memn2cmp(id, sess_id->id, (size_t) len, (size_t) node->data);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
1989
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
1990 if (rc == 0) {
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
1991
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
1992 if (sess_id->expire > ngx_time()) {
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
1993 ngx_memcpy(buf, sess_id->session, sess_id->len);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
1994
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
1995 ngx_shmtx_unlock(&shpool->mutex);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
1996
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
1997 p = buf;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
1998 sess = d2i_SSL_SESSION(NULL, &p, sess_id->len);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
1999
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2000 return sess;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2001 }
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2002
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2003 ngx_queue_remove(&sess_id->queue);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2004
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2005 ngx_rbtree_delete(&cache->session_rbtree, node);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2006
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2007 ngx_slab_free_locked(shpool, sess_id->session);
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2008 #if (NGX_PTR_SIZE == 4)
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2009 ngx_slab_free_locked(shpool, sess_id->id);
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2010 #endif
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2011 ngx_slab_free_locked(shpool, sess_id);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2012
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2013 sess = NULL;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2014
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2015 goto done;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2016 }
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2017
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2018 node = (rc < 0) ? node->left : node->right;
1013
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
2019 }
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2020
1013
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
2021 done:
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2022
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2023 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2024
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2025 return sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2026 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2027
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2028
1924
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2029 void
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2030 ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2031 {
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2032 SSL_CTX_remove_session(ssl, sess);
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2033
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2034 ngx_ssl_remove_session(ssl, sess);
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2035 }
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2036
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2037
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2038 static void
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2039 ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2040 {
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2041 size_t len;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2042 u_char *id;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2043 uint32_t hash;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2044 ngx_int_t rc;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2045 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2046 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2047 ngx_rbtree_node_t *node, *sentinel;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2048 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2049 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2050
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2051 shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2052
1924
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2053 if (shm_zone == NULL) {
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2054 return;
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2055 }
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
2056
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2057 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2058
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2059 id = sess->session_id;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2060 len = (size_t) sess->session_id_length;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2061
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2062 hash = ngx_crc32_short(id, len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2063
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2064 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
3155
e720c4a68ee0 fix debug log message
Igor Sysoev <igor@sysoev.ru>
parents: 3154
diff changeset
2065 "ssl remove session: %08XD:%uz", hash, len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2066
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2067 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2068
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2069 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2070
1759
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
2071 node = cache->session_rbtree.root;
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
2072 sentinel = cache->session_rbtree.sentinel;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2073
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2074 while (node != sentinel) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2075
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2076 if (hash < node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2077 node = node->left;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2078 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2079 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2080
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2081 if (hash > node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2082 node = node->right;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2083 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2084 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2085
1013
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
2086 /* hash == node->key */
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2087
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2088 sess_id = (ngx_ssl_sess_id_t *) node;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2089
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2090 rc = ngx_memn2cmp(id, sess_id->id, len, (size_t) node->data);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2091
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2092 if (rc == 0) {
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2093
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2094 ngx_queue_remove(&sess_id->queue);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2095
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2096 ngx_rbtree_delete(&cache->session_rbtree, node);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2097
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2098 ngx_slab_free_locked(shpool, sess_id->session);
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2099 #if (NGX_PTR_SIZE == 4)
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2100 ngx_slab_free_locked(shpool, sess_id->id);
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2101 #endif
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2102 ngx_slab_free_locked(shpool, sess_id);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2103
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2104 goto done;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2105 }
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2106
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
2107 node = (rc < 0) ? node->left : node->right;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2108 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2109
1013
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
2110 done:
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
2111
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2112 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2113 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2114
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2115
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2116 static void
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2117 ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2118 ngx_slab_pool_t *shpool, ngx_uint_t n)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2119 {
1757
7ab8bd535eed use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents: 1756
diff changeset
2120 time_t now;
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2121 ngx_queue_t *q;
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
2122 ngx_ssl_sess_id_t *sess_id;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2123
1757
7ab8bd535eed use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents: 1756
diff changeset
2124 now = ngx_time();
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2125
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2126 while (n < 3) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2127
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2128 if (ngx_queue_empty(&cache->expire_queue)) {
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2129 return;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2130 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2131
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2132 q = ngx_queue_last(&cache->expire_queue);
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2133
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2134 sess_id = ngx_queue_data(q, ngx_ssl_sess_id_t, queue);
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2135
1757
7ab8bd535eed use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents: 1756
diff changeset
2136 if (n++ != 0 && sess_id->expire > now) {
1439
36548ad85be1 style fix
Igor Sysoev <igor@sysoev.ru>
parents: 1426
diff changeset
2137 return;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2138 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2139
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2140 ngx_queue_remove(q);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2141
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2142 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2143 "expire session: %08Xi", sess_id->node.key);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2144
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2145 ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node);
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
2146
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
2147 ngx_slab_free_locked(shpool, sess_id->session);
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2148 #if (NGX_PTR_SIZE == 4)
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2149 ngx_slab_free_locked(shpool, sess_id->id);
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
2150 #endif
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2151 ngx_slab_free_locked(shpool, sess_id);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2152 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2153 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2154
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
2155
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2156 static void
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2157 ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2158 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel)
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2159 {
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2160 ngx_rbtree_node_t **p;
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2161 ngx_ssl_sess_id_t *sess_id, *sess_id_temp;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2162
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2163 for ( ;; ) {
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2164
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2165 if (node->key < temp->key) {
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2166
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2167 p = &temp->left;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2168
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2169 } else if (node->key > temp->key) {
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2170
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2171 p = &temp->right;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2172
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2173 } else { /* node->key == temp->key */
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2174
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2175 sess_id = (ngx_ssl_sess_id_t *) node;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2176 sess_id_temp = (ngx_ssl_sess_id_t *) temp;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2177
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2178 p = (ngx_memn2cmp(sess_id->id, sess_id_temp->id,
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2179 (size_t) node->data, (size_t) temp->data)
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2180 < 0) ? &temp->left : &temp->right;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2181 }
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2182
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2183 if (*p == sentinel) {
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2184 break;
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2185 }
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2186
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2187 temp = *p;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2188 }
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2189
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
2190 *p = node;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2191 node->parent = temp;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2192 node->left = sentinel;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2193 node->right = sentinel;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2194 ngx_rbt_red(node);
1043
7073b87fa8e9 style fix: remove trailing spaces
Igor Sysoev <igor@sysoev.ru>
parents: 1029
diff changeset
2195 }
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2196
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
2197
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
2198 void
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
2199 ngx_ssl_cleanup_ctx(void *data)
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
2200 {
589
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
2201 ngx_ssl_t *ssl = data;
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
2202
589
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
2203 SSL_CTX_free(ssl->ctx);
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
2204 }
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2205
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2206
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2207 ngx_int_t
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2208 ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
2209 {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2210 s->data = (u_char *) SSL_get_version(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2211 return NGX_OK;
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
2212 }
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
2213
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
2214
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2215 ngx_int_t
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2216 ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
2217 {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2218 s->data = (u_char *) SSL_get_cipher_name(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2219 return NGX_OK;
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
2220 }
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
2221
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
2222
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2223 ngx_int_t
3154
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2224 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2225 {
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2226 int len;
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2227 u_char *p, *buf;
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2228 SSL_SESSION *sess;
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2229
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2230 sess = SSL_get0_session(c->ssl->connection);
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2231
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2232 len = i2d_SSL_SESSION(sess, NULL);
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2233
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2234 buf = ngx_alloc(len, c->log);
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2235 if (buf == NULL) {
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2236 return NGX_ERROR;
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2237 }
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2238
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2239 s->len = 2 * len;
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2240 s->data = ngx_pnalloc(pool, 2 * len);
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2241 if (s->data == NULL) {
3159
d4cc5a450ee9 fix r3155
Igor Sysoev <igor@sysoev.ru>
parents: 3155
diff changeset
2242 ngx_free(buf);
3154
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2243 return NGX_ERROR;
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2244 }
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2245
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2246 p = buf;
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2247 i2d_SSL_SESSION(sess, &p);
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2248
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2249 ngx_hex_dump(s->data, buf, len);
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2250
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2251 ngx_free(buf);
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2252
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2253 return NGX_OK;
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2254 }
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2255
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2256
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
2257 ngx_int_t
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2258 ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
2045
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2259 {
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2260 size_t len;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2261 BIO *bio;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2262 X509 *cert;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2263
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2264 s->len = 0;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2265
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2266 cert = SSL_get_peer_certificate(c->ssl->connection);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2267 if (cert == NULL) {
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2268 return NGX_OK;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2269 }
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2270
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2271 bio = BIO_new(BIO_s_mem());
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2272 if (bio == NULL) {
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2273 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2274 X509_free(cert);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2275 return NGX_ERROR;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2276 }
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2277
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2278 if (PEM_write_bio_X509(bio, cert) == 0) {
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2279 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed");
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2280 goto failed;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2281 }
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2282
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2283 len = BIO_pending(bio);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2284 s->len = len;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2285
2049
2a92804f4109 *) back out r2040
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
2286 s->data = ngx_pnalloc(pool, len);
2045
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2287 if (s->data == NULL) {
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2288 goto failed;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2289 }
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2290
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2291 BIO_read(bio, s->data, len);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2292
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2293 BIO_free(bio);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2294 X509_free(cert);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2295
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2296 return NGX_OK;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2297
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2298 failed:
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2299
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2300 BIO_free(bio);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2301 X509_free(cert);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2302
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2303 return NGX_ERROR;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2304 }
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2305
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2306
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
2307 ngx_int_t
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2308 ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2309 {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2310 u_char *p;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2311 size_t len;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2312 ngx_uint_t i;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2313 ngx_str_t cert;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2314
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2315 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2316 return NGX_ERROR;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2317 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2318
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2319 if (cert.len == 0) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2320 s->len = 0;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2321 return NGX_OK;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2322 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2323
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2324 len = cert.len - 1;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2325
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2326 for (i = 0; i < cert.len - 1; i++) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2327 if (cert.data[i] == LF) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2328 len++;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2329 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2330 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2331
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2332 s->len = len;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2333 s->data = ngx_pnalloc(pool, len);
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2334 if (s->data == NULL) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2335 return NGX_ERROR;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2336 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2337
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2338 p = s->data;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2339
3002
bf0c7e58e016 fix memory corruption in $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2997
diff changeset
2340 for (i = 0; i < cert.len - 1; i++) {
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2341 *p++ = cert.data[i];
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2342 if (cert.data[i] == LF) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2343 *p++ = '\t';
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2344 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2345 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2346
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2347 return NGX_OK;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2348 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2349
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2350
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
2351 ngx_int_t
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2352 ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2353 {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2354 char *p;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2355 size_t len;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2356 X509 *cert;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2357 X509_NAME *name;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2358
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2359 s->len = 0;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2360
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2361 cert = SSL_get_peer_certificate(c->ssl->connection);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2362 if (cert == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2363 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2364 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2365
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2366 name = X509_get_subject_name(cert);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2367 if (name == NULL) {
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
2368 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2369 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2370 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2371
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2372 p = X509_NAME_oneline(name, NULL, 0);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2373
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2374 for (len = 0; p[len]; len++) { /* void */ }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2375
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2376 s->len = len;
2049
2a92804f4109 *) back out r2040
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
2377 s->data = ngx_pnalloc(pool, len);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2378 if (s->data == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2379 OPENSSL_free(p);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
2380 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2381 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2382 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2383
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2384 ngx_memcpy(s->data, p, len);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2385
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2386 OPENSSL_free(p);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
2387 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2388
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2389 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2390 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2391
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2392
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2393 ngx_int_t
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2394 ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2395 {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2396 char *p;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2397 size_t len;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2398 X509 *cert;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2399 X509_NAME *name;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2400
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2401 s->len = 0;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2402
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2403 cert = SSL_get_peer_certificate(c->ssl->connection);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2404 if (cert == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2405 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2406 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2407
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2408 name = X509_get_issuer_name(cert);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2409 if (name == NULL) {
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
2410 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2411 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2412 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2413
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2414 p = X509_NAME_oneline(name, NULL, 0);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2415
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2416 for (len = 0; p[len]; len++) { /* void */ }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2417
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2418 s->len = len;
2049
2a92804f4109 *) back out r2040
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
2419 s->data = ngx_pnalloc(pool, len);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2420 if (s->data == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2421 OPENSSL_free(p);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
2422 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2423 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2424 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2425
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2426 ngx_memcpy(s->data, p, len);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2427
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2428 OPENSSL_free(p);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
2429 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2430
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2431 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2432 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2433
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
2434
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2435 ngx_int_t
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2436 ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2437 {
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2438 size_t len;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2439 X509 *cert;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2440 BIO *bio;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2441
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2442 s->len = 0;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2443
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2444 cert = SSL_get_peer_certificate(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2445 if (cert == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2446 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2447 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2448
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2449 bio = BIO_new(BIO_s_mem());
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2450 if (bio == NULL) {
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
2451 X509_free(cert);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2452 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2453 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2454
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2455 i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert));
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2456 len = BIO_pending(bio);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2457
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2458 s->len = len;
2049
2a92804f4109 *) back out r2040
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
2459 s->data = ngx_pnalloc(pool, len);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2460 if (s->data == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2461 BIO_free(bio);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
2462 X509_free(cert);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2463 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2464 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2465
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2466 BIO_read(bio, s->data, len);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2467 BIO_free(bio);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
2468 X509_free(cert);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2469
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2470 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2471 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2472
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
2473
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2474 ngx_int_t
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2475 ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2476 {
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2477 X509 *cert;
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2478
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2479 if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) {
3516
dd1570b6f237 ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents: 3488
diff changeset
2480 ngx_str_set(s, "FAILED");
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2481 return NGX_OK;
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2482 }
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2483
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2484 cert = SSL_get_peer_certificate(c->ssl->connection);
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2485
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2486 if (cert) {
3516
dd1570b6f237 ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents: 3488
diff changeset
2487 ngx_str_set(s, "SUCCESS");
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2488
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2489 } else {
3516
dd1570b6f237 ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents: 3488
diff changeset
2490 ngx_str_set(s, "NONE");
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2491 }
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2492
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2493 X509_free(cert);
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2494
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2495 return NGX_OK;
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2496 }
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2497
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
2498
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2499 static void *
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2500 ngx_openssl_create_conf(ngx_cycle_t *cycle)
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2501 {
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2502 ngx_openssl_conf_t *oscf;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2503
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2504 oscf = ngx_pcalloc(cycle->pool, sizeof(ngx_openssl_conf_t));
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2505 if (oscf == NULL) {
2912
c7d57b539248 return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents: 2764
diff changeset
2506 return NULL;
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2507 }
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2508
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2509 /*
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2510 * set by ngx_pcalloc():
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2511 *
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2512 * oscf->engine = 0;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2513 */
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2514
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2515 return oscf;
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2516 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2517
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2518
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2519 static char *
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2520 ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2521 {
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2522 ngx_openssl_conf_t *oscf = conf;
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
2523
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2524 ENGINE *engine;
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2525 ngx_str_t *value;
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2526
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2527 if (oscf->engine) {
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2528 return "is duplicate";
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2529 }
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2530
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2531 oscf->engine = 1;
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2532
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2533 value = cf->args->elts;
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2534
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2535 engine = ENGINE_by_id((const char *) value[1].data);
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2536
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2537 if (engine == NULL) {
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2538 ngx_ssl_error(NGX_LOG_WARN, cf->log, 0,
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2539 "ENGINE_by_id(\"%V\") failed", &value[1]);
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2540 return NGX_CONF_ERROR;
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2541 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2542
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2543 if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) {
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2544 ngx_ssl_error(NGX_LOG_WARN, cf->log, 0,
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2545 "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed",
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2546 &value[1]);
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2547
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2548 ENGINE_free(engine);
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2549
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2550 return NGX_CONF_ERROR;
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2551 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2552
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2553 ENGINE_free(engine);
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2554
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
2555 return NGX_CONF_OK;
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
2556 }
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
2557
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
2558
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
2559 static void
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
2560 ngx_openssl_exit(ngx_cycle_t *cycle)
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
2561 {
3464
7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents: 3457
diff changeset
2562 EVP_cleanup();
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
2563 ENGINE_cleanup();
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
2564 }