Mercurial > hg > nginx
annotate src/event/ngx_event_openssl.c @ 8070:ba5cf8f73a2d
SSL: silenced GCC warnings when building with BoringSSL.
BoringSSL uses macro stub for SSL_CTX_set_ecdh_auto that expands to 1,
which triggers -Wunused-value "statement with no effect" warnings.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Thu, 08 Sep 2022 13:53:49 +0400 |
parents | 0546ab9351c8 |
children | 026ee23b6774 |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
4412 | 4 * Copyright (C) Nginx, Inc. |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
5 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
6 |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
7 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #include <ngx_config.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #include <ngx_core.h> |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
10 #include <ngx_event.h> |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
541 | 12 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
13 #define NGX_SSL_PASSWORD_BUFFER_SIZE 4096 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
14 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
15 |
541 | 16 typedef struct { |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
17 ngx_uint_t engine; /* unsigned engine:1; */ |
541 | 18 } ngx_openssl_conf_t; |
479 | 19 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
20 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
21 static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
22 ngx_str_t *cert, STACK_OF(X509) **chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
23 static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
24 ngx_str_t *key, ngx_array_t *passwords); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
25 static int ngx_ssl_password_callback(char *buf, int size, int rwflag, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
26 void *userdata); |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5081
diff
changeset
|
27 static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
28 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
29 int ret); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
30 static void ngx_ssl_passwords_cleanup(void *data); |
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
31 static int ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
32 ngx_ssl_session_t *sess); |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
33 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
34 static ngx_int_t ngx_ssl_try_early_data(ngx_connection_t *c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
35 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
36 #if (NGX_DEBUG) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
37 static void ngx_ssl_handshake_log(ngx_connection_t *c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
38 #endif |
547 | 39 static void ngx_ssl_handshake_handler(ngx_event_t *ev); |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
40 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
41 static ssize_t ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
42 size_t size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
43 #endif |
489 | 44 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); |
473 | 45 static void ngx_ssl_write_handler(ngx_event_t *wev); |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
46 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
47 static ssize_t ngx_ssl_write_early(ngx_connection_t *c, u_char *data, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
48 size_t size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
49 #endif |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
50 static ssize_t ngx_ssl_sendfile(ngx_connection_t *c, ngx_buf_t *file, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
51 size_t size); |
473 | 52 static void ngx_ssl_read_handler(ngx_event_t *rev); |
577 | 53 static void ngx_ssl_shutdown_handler(ngx_event_t *ev); |
547 | 54 static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, |
55 ngx_err_t err, char *text); | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
56 static void ngx_ssl_clear_error(ngx_log_t *log); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
57 |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
58 static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl, |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
59 ngx_str_t *sess_ctx, ngx_array_t *certificates); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
60 static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
61 ngx_ssl_session_t *sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
62 static ngx_ssl_session_t *ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, |
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
63 #if OPENSSL_VERSION_NUMBER >= 0x10100003L |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
64 const |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
65 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
66 u_char *id, int len, int *copy); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
67 static void ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
68 static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
69 ngx_slab_pool_t *shpool, ngx_uint_t n); |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
70 static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
71 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
72 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
73 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
74 static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
75 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
76 HMAC_CTX *hctx, int enc); |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
77 static void ngx_ssl_session_ticket_keys_cleanup(void *data); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
78 #endif |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
79 |
6725
9b9ae81cd4f0
SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6699
diff
changeset
|
80 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
81 static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
82 #endif |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
83 |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
84 static time_t ngx_ssl_parse_time( |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
85 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
86 const |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
87 #endif |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
88 ASN1_TIME *asn1time, ngx_log_t *log); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
89 |
541 | 90 static void *ngx_openssl_create_conf(ngx_cycle_t *cycle); |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
91 static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); |
571 | 92 static void ngx_openssl_exit(ngx_cycle_t *cycle); |
541 | 93 |
94 | |
95 static ngx_command_t ngx_openssl_commands[] = { | |
96 | |
97 { ngx_string("ssl_engine"), | |
98 NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1, | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
99 ngx_openssl_engine, |
541 | 100 0, |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
101 0, |
541 | 102 NULL }, |
103 | |
104 ngx_null_command | |
105 }; | |
106 | |
107 | |
108 static ngx_core_module_t ngx_openssl_module_ctx = { | |
109 ngx_string("openssl"), | |
110 ngx_openssl_create_conf, | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
111 NULL |
577 | 112 }; |
541 | 113 |
114 | |
115 ngx_module_t ngx_openssl_module = { | |
116 NGX_MODULE_V1, | |
117 &ngx_openssl_module_ctx, /* module context */ | |
118 ngx_openssl_commands, /* module directives */ | |
119 NGX_CORE_MODULE, /* module type */ | |
120 NULL, /* init master */ | |
121 NULL, /* init module */ | |
122 NULL, /* init process */ | |
123 NULL, /* init thread */ | |
124 NULL, /* exit thread */ | |
125 NULL, /* exit process */ | |
571 | 126 ngx_openssl_exit, /* exit master */ |
541 | 127 NGX_MODULE_V1_PADDING |
547 | 128 }; |
129 | |
130 | |
969 | 131 int ngx_ssl_connection_index; |
132 int ngx_ssl_server_conf_index; | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
133 int ngx_ssl_session_cache_index; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
134 int ngx_ssl_session_ticket_keys_index; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
135 int ngx_ssl_ocsp_index; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
136 int ngx_ssl_certificate_index; |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
137 int ngx_ssl_next_certificate_index; |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
138 int ngx_ssl_certificate_name_index; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
139 int ngx_ssl_stapling_index; |
671 | 140 |
141 | |
489 | 142 ngx_int_t |
143 ngx_ssl_init(ngx_log_t *log) | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
144 { |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
145 #if OPENSSL_VERSION_NUMBER >= 0x10100003L |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
146 |
6902
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
147 if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) == 0) { |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
148 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed"); |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
149 return NGX_ERROR; |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
150 } |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
151 |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
152 /* |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
153 * OPENSSL_init_ssl() may leave errors in the error queue |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
154 * while returning success |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
155 */ |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
156 |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
157 ERR_clear_error(); |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
158 |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
159 #else |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
160 |
968 | 161 OPENSSL_config(NULL); |
162 | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
163 SSL_library_init(); |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
164 SSL_load_error_strings(); |
541 | 165 |
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
166 OpenSSL_add_all_algorithms(); |
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
167 |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
168 #endif |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
169 |
4696
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
170 #ifndef SSL_OP_NO_COMPRESSION |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
171 { |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
172 /* |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
173 * Disable gzip compression in OpenSSL prior to 1.0.0 version, |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
174 * this saves about 522K per connection. |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
175 */ |
4867
90bbf2adb2c9
SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4696
diff
changeset
|
176 int n; |
4696
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
177 STACK_OF(SSL_COMP) *ssl_comp_methods; |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
178 |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
179 ssl_comp_methods = SSL_COMP_get_compression_methods(); |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
180 n = sk_SSL_COMP_num(ssl_comp_methods); |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
181 |
4867
90bbf2adb2c9
SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4696
diff
changeset
|
182 while (n--) { |
90bbf2adb2c9
SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4696
diff
changeset
|
183 (void) sk_SSL_COMP_pop(ssl_comp_methods); |
4696
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
184 } |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
185 } |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
186 #endif |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
187 |
969 | 188 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
671 | 189 |
969 | 190 if (ngx_ssl_connection_index == -1) { |
671 | 191 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed"); |
192 return NGX_ERROR; | |
193 } | |
194 | |
969 | 195 ngx_ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
196 NULL); | |
197 if (ngx_ssl_server_conf_index == -1) { | |
198 ngx_ssl_error(NGX_LOG_ALERT, log, 0, | |
199 "SSL_CTX_get_ex_new_index() failed"); | |
200 return NGX_ERROR; | |
201 } | |
202 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
203 ngx_ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
204 NULL); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
205 if (ngx_ssl_session_cache_index == -1) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
206 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
207 "SSL_CTX_get_ex_new_index() failed"); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
208 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
209 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
210 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
211 ngx_ssl_session_ticket_keys_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
212 NULL, NULL); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
213 if (ngx_ssl_session_ticket_keys_index == -1) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
214 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
215 "SSL_CTX_get_ex_new_index() failed"); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
216 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
217 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
218 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
219 ngx_ssl_ocsp_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
220 if (ngx_ssl_ocsp_index == -1) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
221 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
222 "SSL_CTX_get_ex_new_index() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
223 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
224 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
225 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
226 ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
227 NULL); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
228 if (ngx_ssl_certificate_index == -1) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
229 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
230 "SSL_CTX_get_ex_new_index() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
231 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
232 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
233 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
234 ngx_ssl_next_certificate_index = X509_get_ex_new_index(0, NULL, NULL, NULL, |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
235 NULL); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
236 if (ngx_ssl_next_certificate_index == -1) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
237 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
238 return NGX_ERROR; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
239 } |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
240 |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
241 ngx_ssl_certificate_name_index = X509_get_ex_new_index(0, NULL, NULL, NULL, |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
242 NULL); |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
243 |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
244 if (ngx_ssl_certificate_name_index == -1) { |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
245 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
246 return NGX_ERROR; |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
247 } |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
248 |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6490
diff
changeset
|
249 ngx_ssl_stapling_index = X509_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6490
diff
changeset
|
250 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
251 if (ngx_ssl_stapling_index == -1) { |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6490
diff
changeset
|
252 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
253 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
254 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
255 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
256 return NGX_OK; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
257 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
258 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
259 |
489 | 260 ngx_int_t |
969 | 261 ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) |
547 | 262 { |
577 | 263 ssl->ctx = SSL_CTX_new(SSLv23_method()); |
547 | 264 |
265 if (ssl->ctx == NULL) { | |
266 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed"); | |
267 return NGX_ERROR; | |
268 } | |
269 | |
969 | 270 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) { |
271 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
272 "SSL_CTX_set_ex_data() failed"); | |
273 return NGX_ERROR; | |
274 } | |
275 | |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
276 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, NULL) == 0) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
277 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
278 "SSL_CTX_set_ex_data() failed"); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
279 return NGX_ERROR; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
280 } |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
281 |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
282 ssl->buffer_size = NGX_SSL_BUFSIZE; |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
283 |
577 | 284 /* client side options */ |
285 | |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
286 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG |
577 | 287 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
288 #endif |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
289 |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
290 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG |
577 | 291 SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
292 #endif |
577 | 293 |
294 /* server side options */ | |
563 | 295 |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
296 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
563 | 297 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
298 #endif |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
299 |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
300 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
563 | 301 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
302 #endif |
563 | 303 |
5778
45ed2f1f0a6a
SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5777
diff
changeset
|
304 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
563 | 305 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); |
5778
45ed2f1f0a6a
SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5777
diff
changeset
|
306 #endif |
45ed2f1f0a6a
SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5777
diff
changeset
|
307 |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
308 #ifdef SSL_OP_TLS_D5_BUG |
563 | 309 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
310 #endif |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
311 |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
312 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG |
563 | 313 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
314 #endif |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
315 |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
316 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
563 | 317 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
318 #endif |
563 | 319 |
2044 | 320 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); |
547 | 321 |
7318
3443fe40bdc7
SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7317
diff
changeset
|
322 #if OPENSSL_VERSION_NUMBER >= 0x009080dfL |
6034
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
323 /* only in 0.9.8m+ */ |
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
324 SSL_CTX_clear_options(ssl->ctx, |
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
325 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1); |
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
326 #endif |
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
327 |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
328 if (!(protocols & NGX_SSL_SSLv2)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
329 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
330 } |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
331 if (!(protocols & NGX_SSL_SSLv3)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
332 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
333 } |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
334 if (!(protocols & NGX_SSL_TLSv1)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
335 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); |
547 | 336 } |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
337 #ifdef SSL_OP_NO_TLSv1_1 |
6034
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
338 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1); |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
339 if (!(protocols & NGX_SSL_TLSv1_1)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
340 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
341 } |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
342 #endif |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
343 #ifdef SSL_OP_NO_TLSv1_2 |
6034
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
344 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2); |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
345 if (!(protocols & NGX_SSL_TLSv1_2)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
346 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
347 } |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
348 #endif |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
349 #ifdef SSL_OP_NO_TLSv1_3 |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
350 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
351 if (!(protocols & NGX_SSL_TLSv1_3)) { |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
352 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
353 } |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
354 #endif |
547 | 355 |
7372
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
356 #ifdef SSL_CTX_set_min_proto_version |
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
357 SSL_CTX_set_min_proto_version(ssl->ctx, 0); |
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
358 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION); |
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
359 #endif |
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
360 |
7332
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
361 #ifdef TLS1_3_VERSION |
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
362 SSL_CTX_set_min_proto_version(ssl->ctx, 0); |
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
363 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); |
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
364 #endif |
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
365 |
4185
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
366 #ifdef SSL_OP_NO_COMPRESSION |
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
367 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); |
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
368 #endif |
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
369 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
370 #ifdef SSL_OP_NO_ANTI_REPLAY |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
371 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
372 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
373 |
7474
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
374 #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION |
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
375 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION); |
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
376 #endif |
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
377 |
7899
1a03af395f44
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7897
diff
changeset
|
378 #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF |
1a03af395f44
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7897
diff
changeset
|
379 SSL_CTX_set_options(ssl->ctx, SSL_OP_IGNORE_UNEXPECTED_EOF); |
1a03af395f44
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7897
diff
changeset
|
380 #endif |
1a03af395f44
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7897
diff
changeset
|
381 |
4186
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
382 #ifdef SSL_MODE_RELEASE_BUFFERS |
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
383 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); |
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
384 #endif |
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
385 |
6036
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
386 #ifdef SSL_MODE_NO_AUTO_CHAIN |
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
387 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN); |
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
388 #endif |
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
389 |
547 | 390 SSL_CTX_set_read_ahead(ssl->ctx, 1); |
391 | |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
392 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
393 |
547 | 394 return NGX_OK; |
395 } | |
396 | |
397 | |
398 ngx_int_t | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
399 ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
400 ngx_array_t *keys, ngx_array_t *passwords) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
401 { |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
402 ngx_str_t *cert, *key; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
403 ngx_uint_t i; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
404 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
405 cert = certs->elts; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
406 key = keys->elts; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
407 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
408 for (i = 0; i < certs->nelts; i++) { |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
409 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
410 if (ngx_ssl_certificate(cf, ssl, &cert[i], &key[i], passwords) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
411 != NGX_OK) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
412 { |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
413 return NGX_ERROR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
414 } |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
415 } |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
416 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
417 return NGX_OK; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
418 } |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
419 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
420 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
421 ngx_int_t |
563 | 422 ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
423 ngx_str_t *key, ngx_array_t *passwords) |
547 | 424 { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
425 char *err; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
426 X509 *x509; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
427 EVP_PKEY *pkey; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
428 STACK_OF(X509) *chain; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
429 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
430 x509 = ngx_ssl_load_certificate(cf->pool, &err, cert, &chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
431 if (x509 == NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
432 if (err != NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
433 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
434 "cannot load certificate \"%s\": %s", |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
435 cert->data, err); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
436 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
437 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
438 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
439 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
440 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
441 if (SSL_CTX_use_certificate(ssl->ctx, x509) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
442 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
443 "SSL_CTX_use_certificate(\"%s\") failed", cert->data); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
444 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
445 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
446 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
447 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
448 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
449 if (X509_set_ex_data(x509, ngx_ssl_certificate_name_index, cert->data) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
450 == 0) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
451 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
452 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
453 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
454 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
455 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
456 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
457 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
458 if (X509_set_ex_data(x509, ngx_ssl_next_certificate_index, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
459 SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index)) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
460 == 0) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
461 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
462 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
463 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
464 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
465 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
466 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
467 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
468 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, x509) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
469 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
470 "SSL_CTX_set_ex_data() failed"); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
471 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
472 sk_X509_pop_free(chain, X509_free); |
547 | 473 return NGX_ERROR; |
474 } | |
475 | |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
476 /* |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
477 * Note that x509 is not freed here, but will be instead freed in |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
478 * ngx_ssl_cleanup_ctx(). This is because we need to preserve all |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
479 * certificates to be able to iterate all of them through exdata |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
480 * (ngx_ssl_certificate_index, ngx_ssl_next_certificate_index), |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
481 * while OpenSSL can free a certificate if it is replaced with another |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
482 * certificate of the same type. |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
483 */ |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
484 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
485 #ifdef SSL_CTX_set0_chain |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
486 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
487 if (SSL_CTX_set0_chain(ssl->ctx, chain) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
488 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
489 "SSL_CTX_set0_chain(\"%s\") failed", cert->data); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
490 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
491 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
492 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
493 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
494 #else |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
495 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
496 int n; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
497 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
498 /* SSL_CTX_set0_chain() is only available in OpenSSL 1.0.2+ */ |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
499 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
500 n = sk_X509_num(chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
501 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
502 while (n--) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
503 x509 = sk_X509_shift(chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
504 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
505 if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
506 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
507 "SSL_CTX_add_extra_chain_cert(\"%s\") failed", |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
508 cert->data); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
509 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
510 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
511 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
512 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
513 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
514 sk_X509_free(chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
515 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
516 #endif |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
517 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
518 pkey = ngx_ssl_load_certificate_key(cf->pool, &err, key, passwords); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
519 if (pkey == NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
520 if (err != NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
521 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
522 "cannot load certificate key \"%s\": %s", |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
523 key->data, err); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
524 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
525 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
526 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
527 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
528 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
529 if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
530 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
531 "SSL_CTX_use_PrivateKey(\"%s\") failed", key->data); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
532 EVP_PKEY_free(pkey); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
533 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
534 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
535 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
536 EVP_PKEY_free(pkey); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
537 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
538 return NGX_OK; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
539 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
540 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
541 |
7461
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
542 ngx_int_t |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
543 ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
544 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords) |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
545 { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
546 char *err; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
547 X509 *x509; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
548 EVP_PKEY *pkey; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
549 STACK_OF(X509) *chain; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
550 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
551 x509 = ngx_ssl_load_certificate(pool, &err, cert, &chain); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
552 if (x509 == NULL) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
553 if (err != NULL) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
554 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
555 "cannot load certificate \"%s\": %s", |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
556 cert->data, err); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
557 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
558 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
559 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
560 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
561 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
562 if (SSL_use_certificate(c->ssl->connection, x509) == 0) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
563 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
564 "SSL_use_certificate(\"%s\") failed", cert->data); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
565 X509_free(x509); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
566 sk_X509_pop_free(chain, X509_free); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
567 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
568 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
569 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
570 X509_free(x509); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
571 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
572 #ifdef SSL_set0_chain |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
573 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
574 /* |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
575 * SSL_set0_chain() is only available in OpenSSL 1.0.2+, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
576 * but this function is only called via certificate callback, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
577 * which is only available in OpenSSL 1.0.2+ as well |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
578 */ |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
579 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
580 if (SSL_set0_chain(c->ssl->connection, chain) == 0) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
581 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
582 "SSL_set0_chain(\"%s\") failed", cert->data); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
583 sk_X509_pop_free(chain, X509_free); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
584 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
585 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
586 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
587 #endif |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
588 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
589 pkey = ngx_ssl_load_certificate_key(pool, &err, key, passwords); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
590 if (pkey == NULL) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
591 if (err != NULL) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
592 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
593 "cannot load certificate key \"%s\": %s", |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
594 key->data, err); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
595 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
596 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
597 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
598 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
599 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
600 if (SSL_use_PrivateKey(c->ssl->connection, pkey) == 0) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
601 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
602 "SSL_use_PrivateKey(\"%s\") failed", key->data); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
603 EVP_PKEY_free(pkey); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
604 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
605 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
606 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
607 EVP_PKEY_free(pkey); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
608 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
609 return NGX_OK; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
610 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
611 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
612 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
613 static X509 * |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
614 ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
615 STACK_OF(X509) **chain) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
616 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
617 BIO *bio; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
618 X509 *x509, *temp; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
619 u_long n; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
620 |
7477
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
621 if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
622 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
623 bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1, |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
624 cert->len - (sizeof("data:") - 1)); |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
625 if (bio == NULL) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
626 *err = "BIO_new_mem_buf() failed"; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
627 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
628 } |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
629 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
630 } else { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
631 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
632 if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, cert) |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
633 != NGX_OK) |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
634 { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
635 *err = NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
636 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
637 } |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
638 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
639 bio = BIO_new_file((char *) cert->data, "r"); |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
640 if (bio == NULL) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
641 *err = "BIO_new_file() failed"; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
642 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
643 } |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
644 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
645 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
646 /* certificate itself */ |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
647 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
648 x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
649 if (x509 == NULL) { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
650 *err = "PEM_read_bio_X509_AUX() failed"; |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
651 BIO_free(bio); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
652 return NULL; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
653 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
654 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
655 /* rest of the chain */ |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
656 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
657 *chain = sk_X509_new_null(); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
658 if (*chain == NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
659 *err = "sk_X509_new_null() failed"; |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
660 BIO_free(bio); |
5384
cfbf1d1cc233
SSL: fixed possible memory and file descriptor leak on HUP signal.
Piotr Sikora <piotr@cloudflare.com>
parents:
5378
diff
changeset
|
661 X509_free(x509); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
662 return NULL; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
663 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
664 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
665 for ( ;; ) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
666 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
667 temp = PEM_read_bio_X509(bio, NULL, NULL, NULL); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
668 if (temp == NULL) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
669 n = ERR_peek_last_error(); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
670 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
671 if (ERR_GET_LIB(n) == ERR_LIB_PEM |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
672 && ERR_GET_REASON(n) == PEM_R_NO_START_LINE) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
673 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
674 /* end of file */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
675 ERR_clear_error(); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
676 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
677 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
678 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
679 /* some real error */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
680 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
681 *err = "PEM_read_bio_X509() failed"; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
682 BIO_free(bio); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
683 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
684 sk_X509_pop_free(*chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
685 return NULL; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
686 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
687 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
688 if (sk_X509_push(*chain, temp) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
689 *err = "sk_X509_push() failed"; |
6549
d3302eb87a0c
SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6548
diff
changeset
|
690 BIO_free(bio); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
691 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
692 sk_X509_pop_free(*chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
693 return NULL; |
6549
d3302eb87a0c
SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6548
diff
changeset
|
694 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
695 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
696 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
697 BIO_free(bio); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
698 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
699 return x509; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
700 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
701 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
702 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
703 static EVP_PKEY * |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
704 ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
705 ngx_str_t *key, ngx_array_t *passwords) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
706 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
707 BIO *bio; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
708 EVP_PKEY *pkey; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
709 ngx_str_t *pwd; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
710 ngx_uint_t tries; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
711 pem_password_cb *cb; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
712 |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
713 if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) { |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
714 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
715 #ifndef OPENSSL_NO_ENGINE |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
716 |
7476
b6dc8a12c07a
SSL: removed redundant "pkey" variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7474
diff
changeset
|
717 u_char *p, *last; |
b6dc8a12c07a
SSL: removed redundant "pkey" variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7474
diff
changeset
|
718 ENGINE *engine; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
719 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
720 p = key->data + sizeof("engine:") - 1; |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
721 last = (u_char *) ngx_strchr(p, ':'); |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
722 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
723 if (last == NULL) { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
724 *err = "invalid syntax"; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
725 return NULL; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
726 } |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
727 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
728 *last = '\0'; |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
729 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
730 engine = ENGINE_by_id((char *) p); |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
731 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
732 if (engine == NULL) { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
733 *err = "ENGINE_by_id() failed"; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
734 return NULL; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
735 } |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
736 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
737 *last++ = ':'; |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
738 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
739 pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
740 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
741 if (pkey == NULL) { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
742 *err = "ENGINE_load_private_key() failed"; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
743 ENGINE_free(engine); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
744 return NULL; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
745 } |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
746 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
747 ENGINE_free(engine); |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
748 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
749 return pkey; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
750 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
751 #else |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
752 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
753 *err = "loading \"engine:...\" certificate keys is not supported"; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
754 return NULL; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
755 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
756 #endif |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
757 } |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
758 |
7477
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
759 if (ngx_strncmp(key->data, "data:", sizeof("data:") - 1) == 0) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
760 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
761 bio = BIO_new_mem_buf(key->data + sizeof("data:") - 1, |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
762 key->len - (sizeof("data:") - 1)); |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
763 if (bio == NULL) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
764 *err = "BIO_new_mem_buf() failed"; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
765 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
766 } |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
767 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
768 } else { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
769 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
770 if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, key) |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
771 != NGX_OK) |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
772 { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
773 *err = NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
774 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
775 } |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
776 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
777 bio = BIO_new_file((char *) key->data, "r"); |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
778 if (bio == NULL) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
779 *err = "BIO_new_file() failed"; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
780 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
781 } |
563 | 782 } |
783 | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
784 if (passwords) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
785 tries = passwords->nelts; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
786 pwd = passwords->elts; |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
787 cb = ngx_ssl_password_callback; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
788 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
789 } else { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
790 tries = 1; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
791 pwd = NULL; |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
792 cb = NULL; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
793 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
794 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
795 for ( ;; ) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
796 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
797 pkey = PEM_read_bio_PrivateKey(bio, NULL, cb, pwd); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
798 if (pkey != NULL) { |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
799 break; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
800 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
801 |
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
802 if (tries-- > 1) { |
5892
42520df85ebb
SSL: simplified ssl_password_file error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
5882
diff
changeset
|
803 ERR_clear_error(); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
804 (void) BIO_reset(bio); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
805 pwd++; |
5892
42520df85ebb
SSL: simplified ssl_password_file error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
5882
diff
changeset
|
806 continue; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
807 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
808 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
809 *err = "PEM_read_bio_PrivateKey() failed"; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
810 BIO_free(bio); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
811 return NULL; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
812 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
813 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
814 BIO_free(bio); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
815 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
816 return pkey; |
547 | 817 } |
818 | |
819 | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
820 static int |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
821 ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
822 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
823 ngx_str_t *pwd = userdata; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
824 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
825 if (rwflag) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
826 ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
827 "ngx_ssl_password_callback() is called for encryption"); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
828 return 0; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
829 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
830 |
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
831 if (pwd == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
832 return 0; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
833 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
834 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
835 if (pwd->len > (size_t) size) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
836 ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
837 "password is truncated to %d bytes", size); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
838 } else { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
839 size = pwd->len; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
840 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
841 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
842 ngx_memcpy(buf, pwd->data, size); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
843 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
844 return size; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
845 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
846 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
847 |
547 | 848 ngx_int_t |
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
849 ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
850 ngx_uint_t prefer_server_ciphers) |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
851 { |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
852 if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) { |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
853 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
854 "SSL_CTX_set_cipher_list(\"%V\") failed", |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
855 ciphers); |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
856 return NGX_ERROR; |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
857 } |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
858 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
859 if (prefer_server_ciphers) { |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
860 SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
861 } |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
862 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
863 return NGX_OK; |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
864 } |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
865 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
866 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
867 ngx_int_t |
671 | 868 ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
869 ngx_int_t depth) | |
647 | 870 { |
671 | 871 STACK_OF(X509_NAME) *list; |
872 | |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5081
diff
changeset
|
873 SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); |
671 | 874 |
875 SSL_CTX_set_verify_depth(ssl->ctx, depth); | |
876 | |
877 if (cert->len == 0) { | |
878 return NGX_OK; | |
879 } | |
880 | |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
881 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { |
647 | 882 return NGX_ERROR; |
883 } | |
884 | |
885 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) | |
886 == 0) | |
887 { | |
888 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
889 "SSL_CTX_load_verify_locations(\"%s\") failed", | |
890 cert->data); | |
891 return NGX_ERROR; | |
892 } | |
893 | |
5365
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
894 /* |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
895 * SSL_CTX_load_verify_locations() may leave errors in the error queue |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
896 * while returning success |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
897 */ |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
898 |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
899 ERR_clear_error(); |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
900 |
671 | 901 list = SSL_load_client_CA_file((char *) cert->data); |
902 | |
903 if (list == NULL) { | |
904 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
905 "SSL_load_client_CA_file(\"%s\") failed", cert->data); | |
906 return NGX_ERROR; | |
907 } | |
908 | |
909 SSL_CTX_set_client_CA_list(ssl->ctx, list); | |
910 | |
647 | 911 return NGX_OK; |
912 } | |
913 | |
914 | |
2995 | 915 ngx_int_t |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
916 ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
917 ngx_int_t depth) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
918 { |
7672
3dcb1aba894a
SSL: fixed unexpected certificate requests (ticket #2008).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7664
diff
changeset
|
919 SSL_CTX_set_verify(ssl->ctx, SSL_CTX_get_verify_mode(ssl->ctx), |
3dcb1aba894a
SSL: fixed unexpected certificate requests (ticket #2008).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7664
diff
changeset
|
920 ngx_ssl_verify_callback); |
7664
699f6e55bbb4
SSL: added verify callback to ngx_ssl_trusted_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7653
diff
changeset
|
921 |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
922 SSL_CTX_set_verify_depth(ssl->ctx, depth); |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
923 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
924 if (cert->len == 0) { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
925 return NGX_OK; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
926 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
927 |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
928 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
929 return NGX_ERROR; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
930 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
931 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
932 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
933 == 0) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
934 { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
935 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
936 "SSL_CTX_load_verify_locations(\"%s\") failed", |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
937 cert->data); |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
938 return NGX_ERROR; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
939 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
940 |
5365
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
941 /* |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
942 * SSL_CTX_load_verify_locations() may leave errors in the error queue |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
943 * while returning success |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
944 */ |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
945 |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
946 ERR_clear_error(); |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
947 |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
948 return NGX_OK; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
949 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
950 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
951 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
952 ngx_int_t |
2995 | 953 ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl) |
954 { | |
955 X509_STORE *store; | |
956 X509_LOOKUP *lookup; | |
957 | |
958 if (crl->len == 0) { | |
959 return NGX_OK; | |
960 } | |
961 | |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
962 if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) { |
2995 | 963 return NGX_ERROR; |
964 } | |
965 | |
966 store = SSL_CTX_get_cert_store(ssl->ctx); | |
967 | |
968 if (store == NULL) { | |
969 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
970 "SSL_CTX_get_cert_store() failed"); | |
971 return NGX_ERROR; | |
972 } | |
973 | |
974 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); | |
975 | |
976 if (lookup == NULL) { | |
977 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
978 "X509_STORE_add_lookup() failed"); | |
979 return NGX_ERROR; | |
980 } | |
981 | |
982 if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM) | |
983 == 0) | |
984 { | |
985 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
986 "X509_LOOKUP_load_file(\"%s\") failed", crl->data); | |
987 return NGX_ERROR; | |
988 } | |
989 | |
990 X509_STORE_set_flags(store, | |
991 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); | |
992 | |
993 return NGX_OK; | |
994 } | |
995 | |
996 | |
671 | 997 static int |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5081
diff
changeset
|
998 ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) |
671 | 999 { |
1977
40c9cb8576bb
get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents:
1976
diff
changeset
|
1000 #if (NGX_DEBUG) |
671 | 1001 char *subject, *issuer; |
1002 int err, depth; | |
1003 X509 *cert; | |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1004 X509_NAME *sname, *iname; |
671 | 1005 ngx_connection_t *c; |
1006 ngx_ssl_conn_t *ssl_conn; | |
1007 | |
1008 ssl_conn = X509_STORE_CTX_get_ex_data(x509_store, | |
1009 SSL_get_ex_data_X509_STORE_CTX_idx()); | |
1010 | |
1011 c = ngx_ssl_get_connection(ssl_conn); | |
1012 | |
7781
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
1013 if (!(c->log->log_level & NGX_LOG_DEBUG_EVENT)) { |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
1014 return 1; |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
1015 } |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
1016 |
671 | 1017 cert = X509_STORE_CTX_get_current_cert(x509_store); |
1018 err = X509_STORE_CTX_get_error(x509_store); | |
1019 depth = X509_STORE_CTX_get_error_depth(x509_store); | |
1020 | |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1021 sname = X509_get_subject_name(cert); |
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1022 |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1023 if (sname) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1024 subject = X509_NAME_oneline(sname, NULL, 0); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1025 if (subject == NULL) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1026 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1027 "X509_NAME_oneline() failed"); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1028 } |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1029 |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1030 } else { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1031 subject = NULL; |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1032 } |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1033 |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1034 iname = X509_get_issuer_name(cert); |
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1035 |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1036 if (iname) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1037 issuer = X509_NAME_oneline(iname, NULL, 0); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1038 if (issuer == NULL) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1039 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1040 "X509_NAME_oneline() failed"); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1041 } |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1042 |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1043 } else { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1044 issuer = NULL; |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1045 } |
671 | 1046 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1047 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, |
671 | 1048 "verify:%d, error:%d, depth:%d, " |
5775
294d020bbcfe
SSL: misplaced space in debug message.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5767
diff
changeset
|
1049 "subject:\"%s\", issuer:\"%s\"", |
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1050 ok, err, depth, |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1051 subject ? subject : "(none)", |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1052 issuer ? issuer : "(none)"); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1053 |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1054 if (subject) { |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1055 OPENSSL_free(subject); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1056 } |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1057 |
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1058 if (issuer) { |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1059 OPENSSL_free(issuer); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1060 } |
1977
40c9cb8576bb
get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents:
1976
diff
changeset
|
1061 #endif |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1062 |
671 | 1063 return 1; |
1064 } | |
1065 | |
1066 | |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1067 static void |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1068 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1069 { |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1070 BIO *rbio, *wbio; |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1071 ngx_connection_t *c; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1072 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1073 #ifndef SSL_OP_NO_RENEGOTIATION |
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1074 |
6982
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
1075 if ((where & SSL_CB_HANDSHAKE_START) |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
1076 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn)) |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
1077 { |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1078 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1079 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1080 if (c->ssl->handshaked) { |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1081 c->ssl->renegotiation = 1; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1082 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1083 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1084 } |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1085 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1086 #endif |
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1087 |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1088 if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1089 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1090 |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1091 if (!c->ssl->handshake_buffer_set) { |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1092 /* |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1093 * By default OpenSSL uses 4k buffer during a handshake, |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1094 * which is too low for long certificate chains and might |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1095 * result in extra round-trips. |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1096 * |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1097 * To adjust a buffer size we detect that buffering was added |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1098 * to write side of the connection by comparing rbio and wbio. |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1099 * If they are different, we assume that it's due to buffering |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1100 * added to wbio, and set buffer size. |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1101 */ |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1102 |
7509
b99cbafd51da
SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7484
diff
changeset
|
1103 rbio = SSL_get_rbio(ssl_conn); |
b99cbafd51da
SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7484
diff
changeset
|
1104 wbio = SSL_get_wbio(ssl_conn); |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1105 |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1106 if (rbio != wbio) { |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1107 (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE); |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1108 c->ssl->handshake_buffer_set = 1; |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1109 } |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1110 } |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1111 } |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1112 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1113 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1114 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1115 ngx_array_t * |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1116 ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1117 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1118 u_char *p, *last, *end; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1119 size_t len; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1120 ssize_t n; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1121 ngx_fd_t fd; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1122 ngx_str_t *pwd; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1123 ngx_array_t *passwords; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1124 ngx_pool_cleanup_t *cln; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1125 u_char buf[NGX_SSL_PASSWORD_BUFFER_SIZE]; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1126 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1127 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1128 return NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1129 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1130 |
7454
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1131 passwords = ngx_array_create(cf->temp_pool, 4, sizeof(ngx_str_t)); |
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1132 if (passwords == NULL) { |
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1133 return NULL; |
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1134 } |
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1135 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1136 cln = ngx_pool_cleanup_add(cf->temp_pool, 0); |
7454
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1137 if (cln == NULL) { |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1138 return NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1139 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1140 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1141 cln->handler = ngx_ssl_passwords_cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1142 cln->data = passwords; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1143 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1144 fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); |
7086 | 1145 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1146 if (fd == NGX_INVALID_FILE) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1147 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1148 ngx_open_file_n " \"%s\" failed", file->data); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1149 return NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1150 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1151 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1152 len = 0; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1153 last = buf; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1154 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1155 do { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1156 n = ngx_read_fd(fd, last, NGX_SSL_PASSWORD_BUFFER_SIZE - len); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1157 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1158 if (n == -1) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1159 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1160 ngx_read_fd_n " \"%s\" failed", file->data); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1161 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1162 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1163 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1164 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1165 end = last + n; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1166 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1167 if (len && n == 0) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1168 *end++ = LF; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1169 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1170 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1171 p = buf; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1172 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1173 for ( ;; ) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1174 last = ngx_strlchr(last, end, LF); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1175 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1176 if (last == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1177 break; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1178 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1179 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1180 len = last++ - p; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1181 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1182 if (len && p[len - 1] == CR) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1183 len--; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1184 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1185 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1186 if (len) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1187 pwd = ngx_array_push(passwords); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1188 if (pwd == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1189 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1190 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1191 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1192 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1193 pwd->len = len; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1194 pwd->data = ngx_pnalloc(cf->temp_pool, len); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1195 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1196 if (pwd->data == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1197 passwords->nelts--; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1198 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1199 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1200 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1201 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1202 ngx_memcpy(pwd->data, p, len); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1203 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1204 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1205 p = last; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1206 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1207 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1208 len = end - p; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1209 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1210 if (len == NGX_SSL_PASSWORD_BUFFER_SIZE) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1211 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1212 "too long line in \"%s\"", file->data); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1213 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1214 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1215 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1216 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1217 ngx_memmove(buf, p, len); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1218 last = buf + len; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1219 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1220 } while (n != 0); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1221 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1222 if (passwords->nelts == 0) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1223 pwd = ngx_array_push(passwords); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1224 if (pwd == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1225 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1226 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1227 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1228 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1229 ngx_memzero(pwd, sizeof(ngx_str_t)); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1230 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1231 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1232 cleanup: |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1233 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1234 if (ngx_close_file(fd) == NGX_FILE_ERROR) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1235 ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1236 ngx_close_file_n " \"%s\" failed", file->data); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1237 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1238 |
7395
9ca82f273967
Core: ngx_explicit_memzero().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7372
diff
changeset
|
1239 ngx_explicit_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1240 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1241 return passwords; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1242 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1243 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1244 |
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1245 ngx_array_t * |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1246 ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords) |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1247 { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1248 ngx_str_t *opwd, *pwd; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1249 ngx_uint_t i; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1250 ngx_array_t *pwds; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1251 ngx_pool_cleanup_t *cln; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1252 static ngx_array_t empty_passwords; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1253 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1254 if (passwords == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1255 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1256 /* |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1257 * If there are no passwords, an empty array is used |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1258 * to make sure OpenSSL's default password callback |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1259 * won't block on reading from stdin. |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1260 */ |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1261 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1262 return &empty_passwords; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1263 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1264 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1265 /* |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1266 * Passwords are normally allocated from the temporary pool |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1267 * and cleared after parsing configuration. To be used at |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1268 * runtime they have to be copied to the configuration pool. |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1269 */ |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1270 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1271 pwds = ngx_array_create(cf->pool, passwords->nelts, sizeof(ngx_str_t)); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1272 if (pwds == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1273 return NULL; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1274 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1275 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1276 cln = ngx_pool_cleanup_add(cf->pool, 0); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1277 if (cln == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1278 return NULL; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1279 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1280 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1281 cln->handler = ngx_ssl_passwords_cleanup; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1282 cln->data = pwds; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1283 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1284 opwd = passwords->elts; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1285 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1286 for (i = 0; i < passwords->nelts; i++) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1287 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1288 pwd = ngx_array_push(pwds); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1289 if (pwd == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1290 return NULL; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1291 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1292 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1293 pwd->len = opwd[i].len; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1294 pwd->data = ngx_pnalloc(cf->pool, pwd->len); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1295 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1296 if (pwd->data == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1297 pwds->nelts--; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1298 return NULL; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1299 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1300 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1301 ngx_memcpy(pwd->data, opwd[i].data, opwd[i].len); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1302 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1303 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1304 return pwds; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1305 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1306 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1307 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1308 static void |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1309 ngx_ssl_passwords_cleanup(void *data) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1310 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1311 ngx_array_t *passwords = data; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1312 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1313 ngx_str_t *pwd; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1314 ngx_uint_t i; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1315 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1316 pwd = passwords->elts; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1317 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1318 for (i = 0; i < passwords->nelts; i++) { |
7395
9ca82f273967
Core: ngx_explicit_memzero().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7372
diff
changeset
|
1319 ngx_explicit_memzero(pwd[i].data, pwd[i].len); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1320 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1321 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1322 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1323 |
547 | 1324 ngx_int_t |
2044 | 1325 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) |
1326 { | |
1327 BIO *bio; | |
1328 | |
1329 if (file->len == 0) { | |
1330 return NGX_OK; | |
1331 } | |
1332 | |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
1333 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
2044 | 1334 return NGX_ERROR; |
1335 } | |
1336 | |
1337 bio = BIO_new_file((char *) file->data, "r"); | |
1338 if (bio == NULL) { | |
1339 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
1340 "BIO_new_file(\"%s\") failed", file->data); | |
1341 return NGX_ERROR; | |
1342 } | |
1343 | |
7896
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1344 #ifdef SSL_CTX_set_tmp_dh |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1345 { |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1346 DH *dh; |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1347 |
2044 | 1348 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); |
1349 if (dh == NULL) { | |
1350 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
1351 "PEM_read_bio_DHparams(\"%s\") failed", file->data); | |
1352 BIO_free(bio); | |
1353 return NGX_ERROR; | |
1354 } | |
1355 | |
7892
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1356 if (SSL_CTX_set_tmp_dh(ssl->ctx, dh) != 1) { |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1357 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1358 "SSL_CTX_set_tmp_dh(\"%s\") failed", file->data); |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1359 DH_free(dh); |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1360 BIO_free(bio); |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1361 return NGX_ERROR; |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1362 } |
2044 | 1363 |
1364 DH_free(dh); | |
7896
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1365 } |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1366 #else |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1367 { |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1368 EVP_PKEY *dh; |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1369 |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1370 /* |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1371 * PEM_read_bio_DHparams() and SSL_CTX_set_tmp_dh() |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1372 * are deprecated in OpenSSL 3.0 |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1373 */ |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1374 |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1375 dh = PEM_read_bio_Parameters(bio, NULL); |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1376 if (dh == NULL) { |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1377 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1378 "PEM_read_bio_Parameters(\"%s\") failed", file->data); |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1379 BIO_free(bio); |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1380 return NGX_ERROR; |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1381 } |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1382 |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1383 if (SSL_CTX_set0_tmp_dh_pkey(ssl->ctx, dh) != 1) { |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1384 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1385 "SSL_CTX_set0_tmp_dh_pkey(\%s\") failed", file->data); |
7994
aeab41dfd260
SSL: free pkey on SSL_CTX_set0_tmp_dh_pkey() failure.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7987
diff
changeset
|
1386 #if (OPENSSL_VERSION_NUMBER >= 0x3000001fL) |
aeab41dfd260
SSL: free pkey on SSL_CTX_set0_tmp_dh_pkey() failure.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7987
diff
changeset
|
1387 EVP_PKEY_free(dh); |
aeab41dfd260
SSL: free pkey on SSL_CTX_set0_tmp_dh_pkey() failure.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7987
diff
changeset
|
1388 #endif |
7896
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1389 BIO_free(bio); |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1390 return NGX_ERROR; |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1391 } |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1392 } |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1393 #endif |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1394 |
2044 | 1395 BIO_free(bio); |
1396 | |
1397 return NGX_OK; | |
1398 } | |
1399 | |
4522 | 1400 |
3960 | 1401 ngx_int_t |
1402 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name) | |
1403 { | |
1404 #ifndef OPENSSL_NO_ECDH | |
1405 | |
1406 /* | |
1407 * Elliptic-Curve Diffie-Hellman parameters are either "named curves" | |
4572
67653855682e
Fixed spelling in multiline C comments.
Ruslan Ermilov <ru@nginx.com>
parents:
4522
diff
changeset
|
1408 * from RFC 4492 section 5.1.1, or explicitly described curves over |
6552 | 1409 * binary fields. OpenSSL only supports the "named curves", which provide |
3960 | 1410 * maximum interoperability. |
1411 */ | |
1412 | |
6983
3518287d995e
SSL: compatibility with OpenSSL master branch.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6982
diff
changeset
|
1413 #if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1414 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1415 /* |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1416 * OpenSSL 1.0.2+ allows configuring a curve list instead of a single |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1417 * curve previously supported. By default an internal list is used, |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1418 * with prime256v1 being preferred by server in OpenSSL 1.0.2b+ |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1419 * and X25519 in OpenSSL 1.1.0+. |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1420 * |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1421 * By default a curve preferred by the client will be used for |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1422 * key exchange. The SSL_OP_CIPHER_SERVER_PREFERENCE option can |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1423 * be used to prefer server curves instead, similar to what it |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1424 * does for ciphers. |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1425 */ |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1426 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1427 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1428 |
8065
0ce2d7a520be
SSL: fixed incorrect usage of #if instead of #ifdef.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8063
diff
changeset
|
1429 #ifdef SSL_CTRL_SET_ECDH_AUTO |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1430 /* not needed in OpenSSL 1.1.0+ */ |
8070
ba5cf8f73a2d
SSL: silenced GCC warnings when building with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8068
diff
changeset
|
1431 (void) SSL_CTX_set_ecdh_auto(ssl->ctx, 1); |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1432 #endif |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1433 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1434 if (ngx_strcmp(name->data, "auto") == 0) { |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1435 return NGX_OK; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1436 } |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1437 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1438 if (SSL_CTX_set1_curves_list(ssl->ctx, (char *) name->data) == 0) { |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1439 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1440 "SSL_CTX_set1_curves_list(\"%s\") failed", name->data); |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1441 return NGX_ERROR; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1442 } |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1443 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1444 #else |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1445 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1446 int nid; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1447 char *curve; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1448 EC_KEY *ecdh; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1449 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1450 if (ngx_strcmp(name->data, "auto") == 0) { |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1451 curve = "prime256v1"; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1452 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1453 } else { |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1454 curve = (char *) name->data; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1455 } |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1456 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1457 nid = OBJ_sn2nid(curve); |
3960 | 1458 if (nid == 0) { |
1459 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1460 "OBJ_sn2nid(\"%s\") failed: unknown curve", curve); |
3960 | 1461 return NGX_ERROR; |
1462 } | |
1463 | |
1464 ecdh = EC_KEY_new_by_curve_name(nid); | |
1465 if (ecdh == NULL) { | |
1466 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1467 "EC_KEY_new_by_curve_name(\"%s\") failed", curve); |
3960 | 1468 return NGX_ERROR; |
1469 } | |
1470 | |
5003
82234f3f5ca2
SSL: speedup loading of configs with many ssl servers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4877
diff
changeset
|
1471 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); |
82234f3f5ca2
SSL: speedup loading of configs with many ssl servers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4877
diff
changeset
|
1472 |
3960 | 1473 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh); |
1474 | |
1475 EC_KEY_free(ecdh); | |
1476 #endif | |
1477 #endif | |
1478 | |
1479 return NGX_OK; | |
1480 } | |
2044 | 1481 |
4522 | 1482 |
2044 | 1483 ngx_int_t |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1484 ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable) |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1485 { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1486 if (!enable) { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1487 return NGX_OK; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1488 } |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1489 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1490 #ifdef SSL_ERROR_EARLY_DATA_REJECTED |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1491 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1492 /* BoringSSL */ |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1493 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1494 SSL_CTX_set_early_data_enabled(ssl->ctx, 1); |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1495 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1496 #elif defined SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1497 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1498 /* OpenSSL */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1499 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1500 SSL_CTX_set_max_early_data(ssl->ctx, NGX_SSL_BUFSIZE); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1501 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1502 #else |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1503 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1504 "\"ssl_early_data\" is not supported on this platform, " |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1505 "ignored"); |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1506 #endif |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1507 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1508 return NGX_OK; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1509 } |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1510 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1511 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1512 ngx_int_t |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1513 ngx_ssl_conf_commands(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *commands) |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1514 { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1515 if (commands == NULL) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1516 return NGX_OK; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1517 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1518 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1519 #ifdef SSL_CONF_FLAG_FILE |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1520 { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1521 int type; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1522 u_char *key, *value; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1523 ngx_uint_t i; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1524 ngx_keyval_t *cmd; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1525 SSL_CONF_CTX *cctx; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1526 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1527 cctx = SSL_CONF_CTX_new(); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1528 if (cctx == NULL) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1529 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1530 "SSL_CONF_CTX_new() failed"); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1531 return NGX_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1532 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1533 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1534 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1535 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1536 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1537 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1538 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1539 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1540 SSL_CONF_CTX_set_ssl_ctx(cctx, ssl->ctx); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1541 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1542 cmd = commands->elts; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1543 for (i = 0; i < commands->nelts; i++) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1544 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1545 key = cmd[i].key.data; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1546 type = SSL_CONF_cmd_value_type(cctx, (char *) key); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1547 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1548 if (type == SSL_CONF_TYPE_FILE || type == SSL_CONF_TYPE_DIR) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1549 if (ngx_conf_full_name(cf->cycle, &cmd[i].value, 1) != NGX_OK) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1550 SSL_CONF_CTX_free(cctx); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1551 return NGX_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1552 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1553 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1554 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1555 value = cmd[i].value.data; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1556 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1557 if (SSL_CONF_cmd(cctx, (char *) key, (char *) value) <= 0) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1558 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1559 "SSL_CONF_cmd(\"%s\", \"%s\") failed", key, value); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1560 SSL_CONF_CTX_free(cctx); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1561 return NGX_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1562 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1563 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1564 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1565 if (SSL_CONF_CTX_finish(cctx) != 1) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1566 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1567 "SSL_CONF_finish() failed"); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1568 SSL_CONF_CTX_free(cctx); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1569 return NGX_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1570 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1571 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1572 SSL_CONF_CTX_free(cctx); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1573 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1574 return NGX_OK; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1575 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1576 #else |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1577 ngx_log_error(NGX_LOG_EMERG, ssl->log, 0, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1578 "SSL_CONF_cmd() is not available on this platform"); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1579 return NGX_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1580 #endif |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1581 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1582 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1583 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1584 ngx_int_t |
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1585 ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable) |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1586 { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1587 if (!enable) { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1588 return NGX_OK; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1589 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1590 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1591 SSL_CTX_set_session_cache_mode(ssl->ctx, |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1592 SSL_SESS_CACHE_CLIENT |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1593 |SSL_SESS_CACHE_NO_INTERNAL); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1594 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1595 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_client_session); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1596 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1597 return NGX_OK; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1598 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1599 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1600 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1601 static int |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1602 ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1603 { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1604 ngx_connection_t *c; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1605 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1606 c = ngx_ssl_get_connection(ssl_conn); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1607 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1608 if (c->ssl->save_session) { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1609 c->ssl->session = sess; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1610 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1611 c->ssl->save_session(c); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1612 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1613 c->ssl->session = NULL; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1614 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1615 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1616 return 0; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1617 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1618 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1619 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1620 ngx_int_t |
547 | 1621 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) |
577 | 1622 { |
547 | 1623 ngx_ssl_connection_t *sc; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1624 |
547 | 1625 sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t)); |
1626 if (sc == NULL) { | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1627 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1628 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1629 |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1630 sc->buffer = ((flags & NGX_SSL_BUFFER) != 0); |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
1631 sc->buffer_size = ssl->buffer_size; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1632 |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
1633 sc->session_ctx = ssl->ctx; |
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
1634 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1635 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1636 if (SSL_CTX_get_max_early_data(ssl->ctx)) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1637 sc->try_early_data = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1638 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1639 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1640 |
547 | 1641 sc->connection = SSL_new(ssl->ctx); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1642 |
547 | 1643 if (sc->connection == NULL) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1644 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_new() failed"); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1645 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1646 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1647 |
547 | 1648 if (SSL_set_fd(sc->connection, c->fd) == 0) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1649 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_fd() failed"); |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1650 return NGX_ERROR; |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1651 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1652 |
577 | 1653 if (flags & NGX_SSL_CLIENT) { |
1654 SSL_set_connect_state(sc->connection); | |
1655 | |
1656 } else { | |
1657 SSL_set_accept_state(sc->connection); | |
7319
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1658 |
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1659 #ifdef SSL_OP_NO_RENEGOTIATION |
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1660 SSL_set_options(sc->connection, SSL_OP_NO_RENEGOTIATION); |
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1661 #endif |
577 | 1662 } |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1663 |
969 | 1664 if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) { |
671 | 1665 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed"); |
1666 return NGX_ERROR; | |
1667 } | |
1668 | |
547 | 1669 c->ssl = sc; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1670 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1671 return NGX_OK; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1672 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1673 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1674 |
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1675 ngx_ssl_session_t * |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1676 ngx_ssl_get_session(ngx_connection_t *c) |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1677 { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1678 #ifdef TLS1_3_VERSION |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1679 if (c->ssl->session) { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1680 SSL_SESSION_up_ref(c->ssl->session); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1681 return c->ssl->session; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1682 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1683 #endif |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1684 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1685 return SSL_get1_session(c->ssl->connection); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1686 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1687 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1688 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1689 ngx_ssl_session_t * |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1690 ngx_ssl_get0_session(ngx_connection_t *c) |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1691 { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1692 if (c->ssl->session) { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1693 return c->ssl->session; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1694 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1695 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1696 return SSL_get0_session(c->ssl->connection); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1697 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1698 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1699 |
547 | 1700 ngx_int_t |
577 | 1701 ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session) |
1702 { | |
1703 if (session) { | |
1704 if (SSL_set_session(c->ssl->connection, session) == 0) { | |
1705 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_session() failed"); | |
1706 return NGX_ERROR; | |
1707 } | |
1708 } | |
1709 | |
1710 return NGX_OK; | |
1711 } | |
1712 | |
1713 | |
1714 ngx_int_t | |
547 | 1715 ngx_ssl_handshake(ngx_connection_t *c) |
1716 { | |
1717 int n, sslerr; | |
1718 ngx_err_t err; | |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1719 ngx_int_t rc; |
547 | 1720 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1721 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1722 if (c->ssl->try_early_data) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1723 return ngx_ssl_try_early_data(c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1724 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1725 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1726 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1727 if (c->ssl->in_ocsp) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1728 return ngx_ssl_ocsp_validate(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1729 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1730 |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1731 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1732 |
547 | 1733 n = SSL_do_handshake(c->ssl->connection); |
1734 | |
577 | 1735 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n); |
547 | 1736 |
1737 if (n == 1) { | |
1738 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1739 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
547 | 1740 return NGX_ERROR; |
1741 } | |
1742 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1743 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
547 | 1744 return NGX_ERROR; |
1745 } | |
1746 | |
1747 #if (NGX_DEBUG) | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1748 ngx_ssl_handshake_log(c); |
547 | 1749 #endif |
1750 | |
1751 c->recv = ngx_ssl_recv; | |
1752 c->send = ngx_ssl_write; | |
577 | 1753 c->recv_chain = ngx_ssl_recv_chain; |
1754 c->send_chain = ngx_ssl_send_chain; | |
547 | 1755 |
7891
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1756 c->read->ready = 1; |
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1757 c->write->ready = 1; |
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1758 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1759 #ifndef SSL_OP_NO_RENEGOTIATION |
6255
b40af2fd1c16
SSL: compatibility with OpenSSL master branch.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6036
diff
changeset
|
1760 #if OPENSSL_VERSION_NUMBER < 0x10100000L |
5946
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1761 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS |
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1762 |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1763 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ |
6995
eb5d119323d8
SSL: allowed renegotiation in client mode with OpenSSL < 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6983
diff
changeset
|
1764 if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) { |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1765 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1766 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1767 |
5946
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1768 #endif |
6255
b40af2fd1c16
SSL: compatibility with OpenSSL master branch.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6036
diff
changeset
|
1769 #endif |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1770 #endif |
5946
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1771 |
8068
0546ab9351c8
Win32: fixed build on Windows with OpenSSL 3.0.x (ticket #2379).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8065
diff
changeset
|
1772 #if (defined BIO_get_ktls_send && !NGX_WIN32) |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1773 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1774 if (BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)) == 1) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1775 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1776 "BIO_get_ktls_send(): 1"); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1777 c->ssl->sendfile = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1778 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1779 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1780 #endif |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1781 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1782 rc = ngx_ssl_ocsp_validate(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1783 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1784 if (rc == NGX_ERROR) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1785 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1786 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1787 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1788 if (rc == NGX_AGAIN) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1789 c->read->handler = ngx_ssl_handshake_handler; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1790 c->write->handler = ngx_ssl_handshake_handler; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1791 return NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1792 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1793 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1794 c->ssl->handshaked = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1795 |
547 | 1796 return NGX_OK; |
1797 } | |
1798 | |
1799 sslerr = SSL_get_error(c->ssl->connection, n); | |
1800 | |
1801 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); | |
1802 | |
1803 if (sslerr == SSL_ERROR_WANT_READ) { | |
1804 c->read->ready = 0; | |
1805 c->read->handler = ngx_ssl_handshake_handler; | |
591 | 1806 c->write->handler = ngx_ssl_handshake_handler; |
547 | 1807 |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1808 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
547 | 1809 return NGX_ERROR; |
1810 } | |
1811 | |
5024
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1812 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1813 return NGX_ERROR; |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1814 } |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1815 |
547 | 1816 return NGX_AGAIN; |
1817 } | |
1818 | |
1819 if (sslerr == SSL_ERROR_WANT_WRITE) { | |
1820 c->write->ready = 0; | |
591 | 1821 c->read->handler = ngx_ssl_handshake_handler; |
547 | 1822 c->write->handler = ngx_ssl_handshake_handler; |
1823 | |
5024
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1824 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1825 return NGX_ERROR; |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1826 } |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1827 |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1828 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
547 | 1829 return NGX_ERROR; |
1830 } | |
1831 | |
1832 return NGX_AGAIN; | |
1833 } | |
1834 | |
1835 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; | |
1836 | |
1837 c->ssl->no_wait_shutdown = 1; | |
1838 c->ssl->no_send_shutdown = 1; | |
591 | 1839 c->read->eof = 1; |
547 | 1840 |
1841 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { | |
5747
57c05ff57980
SSL: logging level of "peer closed connection in SSL handshake".
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
1842 ngx_connection_error(c, err, |
57c05ff57980
SSL: logging level of "peer closed connection in SSL handshake".
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
1843 "peer closed connection in SSL handshake"); |
547 | 1844 |
1845 return NGX_ERROR; | |
1846 } | |
1847 | |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1848 if (c->ssl->handshake_rejected) { |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1849 ngx_connection_error(c, err, "handshake rejected"); |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1850 ERR_clear_error(); |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1851 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1852 return NGX_ERROR; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1853 } |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1854 |
591 | 1855 c->read->error = 1; |
1856 | |
547 | 1857 ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed"); |
1858 | |
1859 return NGX_ERROR; | |
1860 } | |
1861 | |
1862 | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1863 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1864 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1865 static ngx_int_t |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1866 ngx_ssl_try_early_data(ngx_connection_t *c) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1867 { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1868 int n, sslerr; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1869 u_char buf; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1870 size_t readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1871 ngx_err_t err; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1872 ngx_int_t rc; |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1873 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1874 ngx_ssl_clear_error(c->log); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1875 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1876 readbytes = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1877 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1878 n = SSL_read_early_data(c->ssl->connection, &buf, 1, &readbytes); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1879 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1880 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1881 "SSL_read_early_data: %d, %uz", n, readbytes); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1882 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1883 if (n == SSL_READ_EARLY_DATA_FINISH) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1884 c->ssl->try_early_data = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1885 return ngx_ssl_handshake(c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1886 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1887 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1888 if (n == SSL_READ_EARLY_DATA_SUCCESS) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1889 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1890 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1891 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1892 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1893 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1894 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1895 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1896 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1897 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1898 #if (NGX_DEBUG) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1899 ngx_ssl_handshake_log(c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1900 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1901 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1902 c->ssl->try_early_data = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1903 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1904 c->ssl->early_buf = buf; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1905 c->ssl->early_preread = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1906 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1907 c->ssl->in_early = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1908 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1909 c->recv = ngx_ssl_recv; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1910 c->send = ngx_ssl_write; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1911 c->recv_chain = ngx_ssl_recv_chain; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1912 c->send_chain = ngx_ssl_send_chain; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1913 |
7891
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1914 c->read->ready = 1; |
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1915 c->write->ready = 1; |
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1916 |
8068
0546ab9351c8
Win32: fixed build on Windows with OpenSSL 3.0.x (ticket #2379).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8065
diff
changeset
|
1917 #if (defined BIO_get_ktls_send && !NGX_WIN32) |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1918 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1919 if (BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)) == 1) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1920 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1921 "BIO_get_ktls_send(): 1"); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1922 c->ssl->sendfile = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1923 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1924 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1925 #endif |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1926 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1927 rc = ngx_ssl_ocsp_validate(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1928 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1929 if (rc == NGX_ERROR) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1930 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1931 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1932 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1933 if (rc == NGX_AGAIN) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1934 c->read->handler = ngx_ssl_handshake_handler; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1935 c->write->handler = ngx_ssl_handshake_handler; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1936 return NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1937 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1938 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1939 c->ssl->handshaked = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1940 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1941 return NGX_OK; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1942 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1943 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1944 /* SSL_READ_EARLY_DATA_ERROR */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1945 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1946 sslerr = SSL_get_error(c->ssl->connection, n); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1947 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1948 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1949 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1950 if (sslerr == SSL_ERROR_WANT_READ) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1951 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1952 c->read->handler = ngx_ssl_handshake_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1953 c->write->handler = ngx_ssl_handshake_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1954 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1955 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1956 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1957 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1958 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1959 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1960 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1961 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1962 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1963 return NGX_AGAIN; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1964 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1965 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1966 if (sslerr == SSL_ERROR_WANT_WRITE) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1967 c->write->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1968 c->read->handler = ngx_ssl_handshake_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1969 c->write->handler = ngx_ssl_handshake_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1970 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1971 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1972 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1973 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1974 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1975 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1976 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1977 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1978 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1979 return NGX_AGAIN; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1980 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1981 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1982 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1983 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1984 c->ssl->no_wait_shutdown = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1985 c->ssl->no_send_shutdown = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1986 c->read->eof = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1987 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1988 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1989 ngx_connection_error(c, err, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1990 "peer closed connection in SSL handshake"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1991 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1992 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1993 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1994 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1995 c->read->error = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1996 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1997 ngx_ssl_connection_error(c, sslerr, err, "SSL_read_early_data() failed"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1998 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1999 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2000 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2001 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2002 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2003 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2004 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2005 #if (NGX_DEBUG) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2006 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2007 static void |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2008 ngx_ssl_handshake_log(ngx_connection_t *c) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2009 { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2010 char buf[129], *s, *d; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2011 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2012 const |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2013 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2014 SSL_CIPHER *cipher; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2015 |
7781
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
2016 if (!(c->log->log_level & NGX_LOG_DEBUG_EVENT)) { |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
2017 return; |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
2018 } |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
2019 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2020 cipher = SSL_get_current_cipher(c->ssl->connection); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2021 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2022 if (cipher) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2023 SSL_CIPHER_description(cipher, &buf[1], 128); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2024 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2025 for (s = &buf[1], d = buf; *s; s++) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2026 if (*s == ' ' && *d == ' ') { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2027 continue; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2028 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2029 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2030 if (*s == LF || *s == CR) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2031 continue; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2032 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2033 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2034 *++d = *s; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2035 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2036 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2037 if (*d != ' ') { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2038 d++; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2039 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2040 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2041 *d = '\0'; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2042 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2043 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2044 "SSL: %s, cipher: \"%s\"", |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2045 SSL_get_version(c->ssl->connection), &buf[1]); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2046 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2047 if (SSL_session_reused(c->ssl->connection)) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2048 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2049 "SSL reused session"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2050 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2051 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2052 } else { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2053 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2054 "SSL no shared ciphers"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2055 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2056 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2057 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2058 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2059 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2060 |
547 | 2061 static void |
2062 ngx_ssl_handshake_handler(ngx_event_t *ev) | |
2063 { | |
2064 ngx_connection_t *c; | |
2065 | |
2066 c = ev->data; | |
2067 | |
549 | 2068 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
577 | 2069 "SSL handshake handler: %d", ev->write); |
547 | 2070 |
591 | 2071 if (ev->timedout) { |
2072 c->ssl->handler(c); | |
2073 return; | |
2074 } | |
2075 | |
547 | 2076 if (ngx_ssl_handshake(c) == NGX_AGAIN) { |
2077 return; | |
2078 } | |
2079 | |
2080 c->ssl->handler(c); | |
2081 } | |
2082 | |
2083 | |
489 | 2084 ssize_t |
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2085 ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit) |
577 | 2086 { |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2087 u_char *last; |
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2088 ssize_t n, bytes, size; |
577 | 2089 ngx_buf_t *b; |
2090 | |
2091 bytes = 0; | |
2092 | |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2093 b = cl->buf; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2094 last = b->last; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2095 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2096 for ( ;; ) { |
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2097 size = b->end - last; |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2098 |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2099 if (limit) { |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2100 if (bytes >= limit) { |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2101 return bytes; |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2102 } |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2103 |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2104 if (bytes + size > limit) { |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2105 size = (ssize_t) (limit - bytes); |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2106 } |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2107 } |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2108 |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2109 n = ngx_ssl_recv(c, last, size); |
577 | 2110 |
2111 if (n > 0) { | |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2112 last += n; |
577 | 2113 bytes += n; |
2114 | |
7582
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
2115 if (!c->read->ready) { |
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
2116 return bytes; |
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
2117 } |
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
2118 |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2119 if (last == b->end) { |
577 | 2120 cl = cl->next; |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2121 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2122 if (cl == NULL) { |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2123 return bytes; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2124 } |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2125 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2126 b = cl->buf; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2127 last = b->last; |
577 | 2128 } |
2129 | |
2130 continue; | |
2131 } | |
2132 | |
2133 if (bytes) { | |
2052
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2134 |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2135 if (n == 0 || n == NGX_ERROR) { |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2136 c->read->ready = 1; |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2137 } |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2138 |
577 | 2139 return bytes; |
2140 } | |
2141 | |
2142 return n; | |
2143 } | |
2144 } | |
2145 | |
2146 | |
2147 ssize_t | |
489 | 2148 ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size) |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2149 { |
489 | 2150 int n, bytes; |
2151 | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2152 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2153 if (c->ssl->in_early) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2154 return ngx_ssl_recv_early(c, buf, size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2155 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2156 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2157 |
489 | 2158 if (c->ssl->last == NGX_ERROR) { |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2159 c->read->error = 1; |
489 | 2160 return NGX_ERROR; |
2161 } | |
2162 | |
577 | 2163 if (c->ssl->last == NGX_DONE) { |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2164 c->read->ready = 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2165 c->read->eof = 1; |
577 | 2166 return 0; |
2167 } | |
2168 | |
489 | 2169 bytes = 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2170 |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2171 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2172 |
489 | 2173 /* |
2174 * SSL_read() may return data in parts, so try to read | |
2175 * until SSL_read() would return no data | |
2176 */ | |
2177 | |
2178 for ( ;; ) { | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2179 |
543 | 2180 n = SSL_read(c->ssl->connection, buf, size); |
489 | 2181 |
577 | 2182 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2183 |
489 | 2184 if (n > 0) { |
2185 bytes += n; | |
2186 } | |
2187 | |
2188 c->ssl->last = ngx_ssl_handle_recv(c, n); | |
2189 | |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2190 if (c->ssl->last == NGX_OK) { |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2191 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2192 size -= n; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2193 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2194 if (size == 0) { |
5450
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2195 c->read->ready = 1; |
7584
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2196 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2197 if (c->read->available >= 0) { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2198 c->read->available -= bytes; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2199 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2200 /* |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2201 * there can be data buffered at SSL layer, |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2202 * so we post an event to continue reading on the next |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2203 * iteration of the event loop |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2204 */ |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2205 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2206 if (c->read->available < 0) { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2207 c->read->available = 0; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2208 c->read->ready = 0; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2209 |
7617
f1720934c45b
SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7612
diff
changeset
|
2210 if (c->read->posted) { |
f1720934c45b
SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7612
diff
changeset
|
2211 ngx_delete_posted_event(c->read); |
f1720934c45b
SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7612
diff
changeset
|
2212 } |
f1720934c45b
SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7612
diff
changeset
|
2213 |
7584
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2214 ngx_post_event(c->read, &ngx_posted_next_events); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2215 } |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2216 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2217 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2218 "SSL_read: avail:%d", c->read->available); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2219 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2220 } else { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2221 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2222 #if (NGX_HAVE_FIONREAD) |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2223 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2224 if (ngx_socket_nread(c->fd, &c->read->available) == -1) { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2225 c->read->error = 1; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2226 ngx_connection_error(c, ngx_socket_errno, |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2227 ngx_socket_nread_n " failed"); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2228 return NGX_ERROR; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2229 } |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2230 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2231 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2232 "SSL_read: avail:%d", c->read->available); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2233 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2234 #endif |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2235 } |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2236 |
489 | 2237 return bytes; |
577 | 2238 } |
489 | 2239 |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2240 buf += n; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2241 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2242 continue; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2243 } |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2244 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2245 if (bytes) { |
5450
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2246 if (c->ssl->last != NGX_AGAIN) { |
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2247 c->read->ready = 1; |
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2248 } |
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2249 |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2250 return bytes; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2251 } |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2252 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2253 switch (c->ssl->last) { |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2254 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2255 case NGX_DONE: |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2256 c->read->ready = 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2257 c->read->eof = 1; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2258 return 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2259 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2260 case NGX_ERROR: |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2261 c->read->error = 1; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2262 |
4499
778ef9c3fd2d
Fixed spelling in single-line comments.
Ruslan Ermilov <ru@nginx.com>
parents:
4497
diff
changeset
|
2263 /* fall through */ |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2264 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2265 case NGX_AGAIN: |
577 | 2266 return c->ssl->last; |
479 | 2267 } |
489 | 2268 } |
2269 } | |
2270 | |
2271 | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2272 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2273 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2274 static ssize_t |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2275 ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf, size_t size) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2276 { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2277 int n, bytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2278 size_t readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2279 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2280 if (c->ssl->last == NGX_ERROR) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2281 c->read->error = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2282 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2283 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2284 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2285 if (c->ssl->last == NGX_DONE) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2286 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2287 c->read->eof = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2288 return 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2289 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2290 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2291 bytes = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2292 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2293 ngx_ssl_clear_error(c->log); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2294 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2295 if (c->ssl->early_preread) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2296 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2297 if (size == 0) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2298 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2299 c->read->eof = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2300 return 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2301 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2302 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2303 *buf = c->ssl->early_buf; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2304 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2305 c->ssl->early_preread = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2306 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2307 bytes = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2308 size -= 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2309 buf += 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2310 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2311 |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2312 if (c->ssl->write_blocked) { |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2313 return NGX_AGAIN; |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2314 } |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2315 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2316 /* |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2317 * SSL_read_early_data() may return data in parts, so try to read |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2318 * until SSL_read_early_data() would return no data |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2319 */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2320 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2321 for ( ;; ) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2322 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2323 readbytes = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2324 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2325 n = SSL_read_early_data(c->ssl->connection, buf, size, &readbytes); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2326 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2327 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2328 "SSL_read_early_data: %d, %uz", n, readbytes); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2329 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2330 if (n == SSL_READ_EARLY_DATA_SUCCESS) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2331 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2332 c->ssl->last = ngx_ssl_handle_recv(c, 1); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2333 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2334 bytes += readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2335 size -= readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2336 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2337 if (size == 0) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2338 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2339 return bytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2340 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2341 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2342 buf += readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2343 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2344 continue; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2345 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2346 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2347 if (n == SSL_READ_EARLY_DATA_FINISH) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2348 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2349 c->ssl->last = ngx_ssl_handle_recv(c, 1); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2350 c->ssl->in_early = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2351 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2352 if (bytes) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2353 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2354 return bytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2355 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2356 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2357 return ngx_ssl_recv(c, buf, size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2358 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2359 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2360 /* SSL_READ_EARLY_DATA_ERROR */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2361 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2362 c->ssl->last = ngx_ssl_handle_recv(c, 0); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2363 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2364 if (bytes) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2365 if (c->ssl->last != NGX_AGAIN) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2366 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2367 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2368 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2369 return bytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2370 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2371 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2372 switch (c->ssl->last) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2373 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2374 case NGX_DONE: |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2375 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2376 c->read->eof = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2377 return 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2378 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2379 case NGX_ERROR: |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2380 c->read->error = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2381 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2382 /* fall through */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2383 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2384 case NGX_AGAIN: |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2385 return c->ssl->last; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2386 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2387 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2388 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2389 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2390 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2391 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2392 |
489 | 2393 static ngx_int_t |
2394 ngx_ssl_handle_recv(ngx_connection_t *c, int n) | |
2395 { | |
547 | 2396 int sslerr; |
2397 ngx_err_t err; | |
489 | 2398 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2399 #ifndef SSL_OP_NO_RENEGOTIATION |
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2400 |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2401 if (c->ssl->renegotiation) { |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2402 /* |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2403 * disable renegotiation (CVE-2009-3555): |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2404 * OpenSSL (at least up to 0.9.8l) does not handle disabled |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2405 * renegotiation gracefully, so drop connection here |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2406 */ |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2407 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2408 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled"); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2409 |
4236
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2410 while (ERR_peek_error()) { |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2411 ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0, |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2412 "ignoring stale global SSL error"); |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2413 } |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2414 |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2415 ERR_clear_error(); |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2416 |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2417 c->ssl->no_wait_shutdown = 1; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2418 c->ssl->no_send_shutdown = 1; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2419 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2420 return NGX_ERROR; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2421 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2422 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2423 #endif |
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2424 |
489 | 2425 if (n > 0) { |
479 | 2426 |
473 | 2427 if (c->ssl->saved_write_handler) { |
2428 | |
509 | 2429 c->write->handler = c->ssl->saved_write_handler; |
473 | 2430 c->ssl->saved_write_handler = NULL; |
2431 c->write->ready = 1; | |
2432 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2433 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
473 | 2434 return NGX_ERROR; |
2435 } | |
2436 | |
563 | 2437 ngx_post_event(c->write, &ngx_posted_events); |
473 | 2438 } |
2439 | |
489 | 2440 return NGX_OK; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2441 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2442 |
543 | 2443 sslerr = SSL_get_error(c->ssl->connection, n); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2444 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2445 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2446 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2447 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2448 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2449 if (sslerr == SSL_ERROR_WANT_READ) { |
7353
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2450 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2451 if (c->ssl->saved_write_handler) { |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2452 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2453 c->write->handler = c->ssl->saved_write_handler; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2454 c->ssl->saved_write_handler = NULL; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2455 c->write->ready = 1; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2456 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2457 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2458 return NGX_ERROR; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2459 } |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2460 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2461 ngx_post_event(c->write, &ngx_posted_events); |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2462 } |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2463 |
455 | 2464 c->read->ready = 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2465 return NGX_AGAIN; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2466 } |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2467 |
445
f26432a1935a
nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents:
444
diff
changeset
|
2468 if (sslerr == SSL_ERROR_WANT_WRITE) { |
539 | 2469 |
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2470 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2471 "SSL_read: want write"); |
473 | 2472 |
2473 c->write->ready = 0; | |
2474 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2475 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
473 | 2476 return NGX_ERROR; |
2477 } | |
2478 | |
2479 /* | |
2480 * we do not set the timer because there is already the read event timer | |
2481 */ | |
2482 | |
2483 if (c->ssl->saved_write_handler == NULL) { | |
509 | 2484 c->ssl->saved_write_handler = c->write->handler; |
2485 c->write->handler = ngx_ssl_write_handler; | |
473 | 2486 } |
2487 | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2488 return NGX_AGAIN; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2489 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2490 |
547 | 2491 c->ssl->no_wait_shutdown = 1; |
2492 c->ssl->no_send_shutdown = 1; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2493 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2494 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { |
577 | 2495 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
2496 "peer shutdown SSL cleanly"); | |
2497 return NGX_DONE; | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2498 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2499 |
547 | 2500 ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed"); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2501 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2502 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2503 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2504 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2505 |
489 | 2506 static void |
2507 ngx_ssl_write_handler(ngx_event_t *wev) | |
473 | 2508 { |
2509 ngx_connection_t *c; | |
2510 | |
2511 c = wev->data; | |
547 | 2512 |
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2513 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL write handler"); |
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2514 |
509 | 2515 c->read->handler(c->read); |
473 | 2516 } |
2517 | |
2518 | |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2519 /* |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2520 * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer |
473 | 2521 * before the SSL_write() call to decrease a SSL overhead. |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2522 * |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2523 * Besides for protocols such as HTTP it is possible to always buffer |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2524 * the output to decrease a SSL overhead some more. |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2525 */ |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2526 |
489 | 2527 ngx_chain_t * |
2528 ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2529 { |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2530 int n; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2531 ngx_uint_t flush; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2532 ssize_t send, size, file_size; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2533 ngx_buf_t *buf; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2534 ngx_chain_t *cl; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2535 |
2280
6453161bf53e
always use buffer, if connection is buffered,
Igor Sysoev <igor@sysoev.ru>
parents:
2165
diff
changeset
|
2536 if (!c->ssl->buffer) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2537 |
577 | 2538 while (in) { |
2539 if (ngx_buf_special(in->buf)) { | |
2540 in = in->next; | |
2541 continue; | |
2542 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2543 |
577 | 2544 n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos); |
2545 | |
2546 if (n == NGX_ERROR) { | |
2547 return NGX_CHAIN_ERROR; | |
2548 } | |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2549 |
577 | 2550 if (n == NGX_AGAIN) { |
2551 return in; | |
2552 } | |
2553 | |
2554 in->buf->pos += n; | |
2555 | |
2556 if (in->buf->pos == in->buf->last) { | |
2557 in = in->next; | |
2558 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2559 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2560 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2561 return in; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2562 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2563 |
473 | 2564 |
3962
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2565 /* the maximum limit size is the maximum int32_t value - the page size */ |
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2566 |
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2567 if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) { |
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2568 limit = NGX_MAX_INT32_VALUE - ngx_pagesize; |
473 | 2569 } |
2570 | |
577 | 2571 buf = c->ssl->buf; |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2572 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2573 if (buf == NULL) { |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
2574 buf = ngx_create_temp_buf(c->pool, c->ssl->buffer_size); |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2575 if (buf == NULL) { |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2576 return NGX_CHAIN_ERROR; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2577 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2578 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2579 c->ssl->buf = buf; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2580 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2581 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2582 if (buf->start == NULL) { |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
2583 buf->start = ngx_palloc(c->pool, c->ssl->buffer_size); |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2584 if (buf->start == NULL) { |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2585 return NGX_CHAIN_ERROR; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2586 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2587 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2588 buf->pos = buf->start; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2589 buf->last = buf->start; |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
2590 buf->end = buf->start + c->ssl->buffer_size; |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2591 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2592 |
5023
70a35b7b63ea
SSL: take into account data in the buffer while limiting output.
Valentin Bartenev <vbart@nginx.com>
parents:
5022
diff
changeset
|
2593 send = buf->last - buf->pos; |
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2594 flush = (in == NULL) ? 1 : buf->flush; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2595 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2596 for ( ;; ) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2597 |
3283
52b1624b93c2
fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents:
3159
diff
changeset
|
2598 while (in && buf->last < buf->end && send < limit) { |
583 | 2599 if (in->buf->last_buf || in->buf->flush) { |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2600 flush = 1; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2601 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2602 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2603 if (ngx_buf_special(in->buf)) { |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2604 in = in->next; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2605 continue; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2606 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2607 |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2608 if (in->buf->in_file && c->ssl->sendfile) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2609 flush = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2610 break; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2611 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2612 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2613 size = in->buf->last - in->buf->pos; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2614 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2615 if (size > buf->end - buf->last) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2616 size = buf->end - buf->last; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2617 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2618 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2619 if (send + size > limit) { |
577 | 2620 size = (ssize_t) (limit - send); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2621 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2622 |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2623 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
6480 | 2624 "SSL buf copy: %z", size); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2625 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2626 ngx_memcpy(buf->last, in->buf->pos, size); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2627 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2628 buf->last += size; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2629 in->buf->pos += size; |
3283
52b1624b93c2
fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents:
3159
diff
changeset
|
2630 send += size; |
577 | 2631 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2632 if (in->buf->pos == in->buf->last) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2633 in = in->next; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2634 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2635 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2636 |
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2637 if (!flush && send < limit && buf->last < buf->end) { |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2638 break; |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2639 } |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2640 |
5021
674f8739e443
SSL: calculation of buffer size moved closer to its usage.
Valentin Bartenev <vbart@nginx.com>
parents:
5020
diff
changeset
|
2641 size = buf->last - buf->pos; |
674f8739e443
SSL: calculation of buffer size moved closer to its usage.
Valentin Bartenev <vbart@nginx.com>
parents:
5020
diff
changeset
|
2642 |
5022
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2643 if (size == 0) { |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2644 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2645 if (in && in->buf->in_file && send < limit) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2646 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2647 /* coalesce the neighbouring file bufs */ |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2648 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2649 cl = in; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2650 file_size = (size_t) ngx_chain_coalesce_file(&cl, limit - send); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2651 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2652 n = ngx_ssl_sendfile(c, in->buf, file_size); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2653 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2654 if (n == NGX_ERROR) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2655 return NGX_CHAIN_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2656 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2657 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2658 if (n == NGX_AGAIN) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2659 break; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2660 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2661 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2662 in = ngx_chain_update_sent(in, n); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2663 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2664 send += n; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2665 flush = 0; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2666 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2667 continue; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2668 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2669 |
5022
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2670 buf->flush = 0; |
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2671 c->buffered &= ~NGX_SSL_BUFFERED; |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2672 |
5022
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2673 return in; |
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2674 } |
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2675 |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2676 n = ngx_ssl_write(c, buf->pos, size); |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2677 |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2678 if (n == NGX_ERROR) { |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2679 return NGX_CHAIN_ERROR; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2680 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2681 |
511 | 2682 if (n == NGX_AGAIN) { |
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2683 break; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2684 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2685 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2686 buf->pos += n; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2687 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2688 if (n < size) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2689 break; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2690 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2691 |
5019
69693a098655
SSL: resetting of flush flag after the data was written.
Valentin Bartenev <vbart@nginx.com>
parents:
5018
diff
changeset
|
2692 flush = 0; |
69693a098655
SSL: resetting of flush flag after the data was written.
Valentin Bartenev <vbart@nginx.com>
parents:
5018
diff
changeset
|
2693 |
5018
0ea36741bb35
SSL: removed conditions that always hold true.
Valentin Bartenev <vbart@nginx.com>
parents:
5003
diff
changeset
|
2694 buf->pos = buf->start; |
0ea36741bb35
SSL: removed conditions that always hold true.
Valentin Bartenev <vbart@nginx.com>
parents:
5003
diff
changeset
|
2695 buf->last = buf->start; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2696 |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2697 if (in == NULL || send >= limit) { |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2698 break; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2699 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2700 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2701 |
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2702 buf->flush = flush; |
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2703 |
597 | 2704 if (buf->pos < buf->last) { |
2705 c->buffered |= NGX_SSL_BUFFERED; | |
2706 | |
2707 } else { | |
2708 c->buffered &= ~NGX_SSL_BUFFERED; | |
2709 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2710 |
399
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
398
diff
changeset
|
2711 return in; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2712 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2713 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2714 |
539 | 2715 ssize_t |
489 | 2716 ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2717 { |
547 | 2718 int n, sslerr; |
2719 ngx_err_t err; | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2720 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2721 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2722 if (c->ssl->in_early) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2723 return ngx_ssl_write_early(c, data, size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2724 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2725 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2726 |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2727 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2728 |
6480 | 2729 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2730 |
543 | 2731 n = SSL_write(c->ssl->connection, data, size); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2732 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2733 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n); |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2734 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2735 if (n > 0) { |
539 | 2736 |
473 | 2737 if (c->ssl->saved_read_handler) { |
2738 | |
509 | 2739 c->read->handler = c->ssl->saved_read_handler; |
473 | 2740 c->ssl->saved_read_handler = NULL; |
2741 c->read->ready = 1; | |
2742 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2743 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
473 | 2744 return NGX_ERROR; |
2745 } | |
2746 | |
563 | 2747 ngx_post_event(c->read, &ngx_posted_events); |
473 | 2748 } |
2749 | |
5986
c2f309fb7ad2
SSL: account sent bytes in ngx_ssl_write().
Ruslan Ermilov <ru@nginx.com>
parents:
5946
diff
changeset
|
2750 c->sent += n; |
c2f309fb7ad2
SSL: account sent bytes in ngx_ssl_write().
Ruslan Ermilov <ru@nginx.com>
parents:
5946
diff
changeset
|
2751 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2752 return n; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2753 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2754 |
543 | 2755 sslerr = SSL_get_error(c->ssl->connection, n); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2756 |
7706
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2757 if (sslerr == SSL_ERROR_ZERO_RETURN) { |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2758 |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2759 /* |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2760 * OpenSSL 1.1.1 fails to return SSL_ERROR_SYSCALL if an error |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2761 * happens during SSL_write() after close_notify alert from the |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2762 * peer, and returns SSL_ERROR_ZERO_RETURN instead, |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2763 * https://git.openssl.org/?p=openssl.git;a=commitdiff;h=8051ab2 |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2764 */ |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2765 |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2766 sslerr = SSL_ERROR_SYSCALL; |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2767 } |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2768 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2769 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2770 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2771 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2772 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2773 if (sslerr == SSL_ERROR_WANT_WRITE) { |
7353
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2774 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2775 if (c->ssl->saved_read_handler) { |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2776 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2777 c->read->handler = c->ssl->saved_read_handler; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2778 c->ssl->saved_read_handler = NULL; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2779 c->read->ready = 1; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2780 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2781 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2782 return NGX_ERROR; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2783 } |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2784 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2785 ngx_post_event(c->read, &ngx_posted_events); |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2786 } |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2787 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2788 c->write->ready = 0; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2789 return NGX_AGAIN; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2790 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2791 |
445
f26432a1935a
nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents:
444
diff
changeset
|
2792 if (sslerr == SSL_ERROR_WANT_READ) { |
452 | 2793 |
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2794 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2795 "SSL_write: want read"); |
473 | 2796 |
2797 c->read->ready = 0; | |
2798 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2799 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
473 | 2800 return NGX_ERROR; |
2801 } | |
2802 | |
2803 /* | |
2804 * we do not set the timer because there is already | |
2805 * the write event timer | |
2806 */ | |
2807 | |
2808 if (c->ssl->saved_read_handler == NULL) { | |
509 | 2809 c->ssl->saved_read_handler = c->read->handler; |
2810 c->read->handler = ngx_ssl_read_handler; | |
473 | 2811 } |
2812 | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2813 return NGX_AGAIN; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2814 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2815 |
547 | 2816 c->ssl->no_wait_shutdown = 1; |
2817 c->ssl->no_send_shutdown = 1; | |
591 | 2818 c->write->error = 1; |
543 | 2819 |
547 | 2820 ngx_ssl_connection_error(c, sslerr, err, "SSL_write() failed"); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2821 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2822 return NGX_ERROR; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2823 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2824 |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2825 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2826 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2827 |
7940
46a02ed7c966
Style: added missing "static" specifiers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7936
diff
changeset
|
2828 static ssize_t |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2829 ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2830 { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2831 int n, sslerr; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2832 size_t written; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2833 ngx_err_t err; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2834 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2835 ngx_ssl_clear_error(c->log); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2836 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2837 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2838 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2839 written = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2840 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2841 n = SSL_write_early_data(c->ssl->connection, data, size, &written); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2842 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2843 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2844 "SSL_write_early_data: %d, %uz", n, written); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2845 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2846 if (n > 0) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2847 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2848 if (c->ssl->saved_read_handler) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2849 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2850 c->read->handler = c->ssl->saved_read_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2851 c->ssl->saved_read_handler = NULL; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2852 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2853 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2854 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2855 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2856 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2857 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2858 ngx_post_event(c->read, &ngx_posted_events); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2859 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2860 |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2861 if (c->ssl->write_blocked) { |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2862 c->ssl->write_blocked = 0; |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2863 ngx_post_event(c->read, &ngx_posted_events); |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2864 } |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2865 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2866 c->sent += written; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2867 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2868 return written; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2869 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2870 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2871 sslerr = SSL_get_error(c->ssl->connection, n); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2872 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2873 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2874 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2875 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2876 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2877 if (sslerr == SSL_ERROR_WANT_WRITE) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2878 |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2879 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2880 "SSL_write_early_data: want write"); |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2881 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2882 if (c->ssl->saved_read_handler) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2883 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2884 c->read->handler = c->ssl->saved_read_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2885 c->ssl->saved_read_handler = NULL; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2886 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2887 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2888 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2889 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2890 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2891 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2892 ngx_post_event(c->read, &ngx_posted_events); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2893 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2894 |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2895 /* |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2896 * OpenSSL 1.1.1a fails to handle SSL_read_early_data() |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2897 * if an SSL_write_early_data() call blocked on writing, |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2898 * see https://github.com/openssl/openssl/issues/7757 |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2899 */ |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2900 |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2901 c->ssl->write_blocked = 1; |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2902 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2903 c->write->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2904 return NGX_AGAIN; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2905 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2906 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2907 if (sslerr == SSL_ERROR_WANT_READ) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2908 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2909 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2910 "SSL_write_early_data: want read"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2911 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2912 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2913 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2914 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2915 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2916 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2917 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2918 /* |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2919 * we do not set the timer because there is already |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2920 * the write event timer |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2921 */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2922 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2923 if (c->ssl->saved_read_handler == NULL) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2924 c->ssl->saved_read_handler = c->read->handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2925 c->read->handler = ngx_ssl_read_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2926 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2927 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2928 return NGX_AGAIN; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2929 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2930 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2931 c->ssl->no_wait_shutdown = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2932 c->ssl->no_send_shutdown = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2933 c->write->error = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2934 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2935 ngx_ssl_connection_error(c, sslerr, err, "SSL_write_early_data() failed"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2936 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2937 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2938 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2939 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2940 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2941 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2942 |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2943 static ssize_t |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2944 ngx_ssl_sendfile(ngx_connection_t *c, ngx_buf_t *file, size_t size) |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2945 { |
8068
0546ab9351c8
Win32: fixed build on Windows with OpenSSL 3.0.x (ticket #2379).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8065
diff
changeset
|
2946 #if (defined BIO_get_ktls_send && !NGX_WIN32) |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2947 |
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2948 int sslerr, flags; |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2949 ssize_t n; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2950 ngx_err_t err; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2951 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2952 ngx_ssl_clear_error(c->log); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2953 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2954 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2955 "SSL to sendfile: @%O %uz", |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2956 file->file_pos, size); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2957 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2958 ngx_set_errno(0); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2959 |
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2960 #if (NGX_HAVE_SENDFILE_NODISKIO) |
7987
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
2961 |
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2962 flags = (c->busy_count <= 2) ? SF_NODISKIO : 0; |
7987
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
2963 |
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
2964 if (file->file->directio) { |
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
2965 flags |= SF_NOCACHE; |
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
2966 } |
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
2967 |
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2968 #else |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2969 flags = 0; |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2970 #endif |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2971 |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2972 n = SSL_sendfile(c->ssl->connection, file->file->fd, file->file_pos, |
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2973 size, flags); |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2974 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2975 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_sendfile: %d", n); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2976 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2977 if (n > 0) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2978 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2979 if (c->ssl->saved_read_handler) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2980 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2981 c->read->handler = c->ssl->saved_read_handler; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2982 c->ssl->saved_read_handler = NULL; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2983 c->read->ready = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2984 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2985 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2986 return NGX_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2987 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2988 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2989 ngx_post_event(c->read, &ngx_posted_events); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2990 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2991 |
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2992 #if (NGX_HAVE_SENDFILE_NODISKIO) |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2993 c->busy_count = 0; |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2994 #endif |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2995 |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2996 c->sent += n; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2997 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2998 return n; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2999 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3000 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3001 if (n == 0) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3002 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3003 /* |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3004 * if sendfile returns zero, then someone has truncated the file, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3005 * so the offset became beyond the end of the file |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3006 */ |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3007 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3008 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3009 "SSL_sendfile() reported that \"%s\" was truncated at %O", |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3010 file->file->name.data, file->file_pos); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3011 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3012 return NGX_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3013 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3014 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3015 sslerr = SSL_get_error(c->ssl->connection, n); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3016 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3017 if (sslerr == SSL_ERROR_ZERO_RETURN) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3018 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3019 /* |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3020 * OpenSSL fails to return SSL_ERROR_SYSCALL if an error |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3021 * happens during writing after close_notify alert from the |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3022 * peer, and returns SSL_ERROR_ZERO_RETURN instead |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3023 */ |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3024 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3025 sslerr = SSL_ERROR_SYSCALL; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3026 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3027 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3028 if (sslerr == SSL_ERROR_SSL |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3029 && ERR_GET_REASON(ERR_peek_error()) == SSL_R_UNINITIALIZED |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3030 && ngx_errno != 0) |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3031 { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3032 /* |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3033 * OpenSSL fails to return SSL_ERROR_SYSCALL if an error |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3034 * happens in sendfile(), and returns SSL_ERROR_SSL with |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3035 * SSL_R_UNINITIALIZED reason instead |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3036 */ |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3037 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3038 sslerr = SSL_ERROR_SYSCALL; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3039 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3040 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3041 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3042 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3043 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3044 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3045 if (sslerr == SSL_ERROR_WANT_WRITE) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3046 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3047 if (c->ssl->saved_read_handler) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3048 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3049 c->read->handler = c->ssl->saved_read_handler; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3050 c->ssl->saved_read_handler = NULL; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3051 c->read->ready = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3052 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3053 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3054 return NGX_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3055 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3056 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3057 ngx_post_event(c->read, &ngx_posted_events); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3058 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3059 |
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3060 #if (NGX_HAVE_SENDFILE_NODISKIO) |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3061 |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3062 if (ngx_errno == EBUSY) { |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3063 c->busy_count++; |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3064 |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3065 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3066 "SSL_sendfile() busy, count:%d", c->busy_count); |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3067 |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3068 if (c->write->posted) { |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3069 ngx_delete_posted_event(c->write); |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3070 } |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3071 |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3072 ngx_post_event(c->write, &ngx_posted_next_events); |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3073 } |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3074 |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3075 #endif |
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3076 |
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3077 c->write->ready = 0; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3078 return NGX_AGAIN; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3079 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3080 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3081 if (sslerr == SSL_ERROR_WANT_READ) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3082 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3083 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3084 "SSL_sendfile: want read"); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3085 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3086 c->read->ready = 0; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3087 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3088 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3089 return NGX_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3090 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3091 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3092 /* |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3093 * we do not set the timer because there is already |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3094 * the write event timer |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3095 */ |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3096 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3097 if (c->ssl->saved_read_handler == NULL) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3098 c->ssl->saved_read_handler = c->read->handler; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3099 c->read->handler = ngx_ssl_read_handler; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3100 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3101 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3102 return NGX_AGAIN; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3103 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3104 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3105 c->ssl->no_wait_shutdown = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3106 c->ssl->no_send_shutdown = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3107 c->write->error = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3108 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3109 ngx_ssl_connection_error(c, sslerr, err, "SSL_sendfile() failed"); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3110 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3111 #else |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3112 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3113 "SSL_sendfile() not available"); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3114 #endif |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3115 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3116 return NGX_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3117 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3118 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3119 |
489 | 3120 static void |
3121 ngx_ssl_read_handler(ngx_event_t *rev) | |
473 | 3122 { |
3123 ngx_connection_t *c; | |
3124 | |
3125 c = rev->data; | |
547 | 3126 |
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
3127 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL read handler"); |
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
3128 |
509 | 3129 c->write->handler(c->write); |
473 | 3130 } |
3131 | |
3132 | |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3133 void |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3134 ngx_ssl_free_buffer(ngx_connection_t *c) |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3135 { |
1795
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
3136 if (c->ssl->buf && c->ssl->buf->start) { |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
3137 if (ngx_pfree(c->pool, c->ssl->buf->start) == NGX_OK) { |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
3138 c->ssl->buf->start = NULL; |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
3139 } |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3140 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3141 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3142 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3143 |
489 | 3144 ngx_int_t |
3145 ngx_ssl_shutdown(ngx_connection_t *c) | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3146 { |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3147 int n, sslerr, mode; |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3148 ngx_int_t rc; |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3149 ngx_err_t err; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3150 ngx_uint_t tries; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3151 |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3152 rc = NGX_OK; |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3153 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
3154 ngx_ssl_ocsp_cleanup(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
3155 |
6407
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3156 if (SSL_in_init(c->ssl->connection)) { |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3157 /* |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3158 * OpenSSL 1.0.2f complains if SSL_shutdown() is called during |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3159 * an SSL handshake, while previous versions always return 0. |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3160 * Avoid calling SSL_shutdown() if handshake wasn't completed. |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3161 */ |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3162 |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3163 goto done; |
6407
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3164 } |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3165 |
7709
052ecc68d350
SSL: disabled shutdown when there are buffered data.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7708
diff
changeset
|
3166 if (c->timedout || c->error || c->buffered) { |
547 | 3167 mode = SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN; |
4064
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3168 SSL_set_quiet_shutdown(c->ssl->connection, 1); |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3169 |
547 | 3170 } else { |
3171 mode = SSL_get_shutdown(c->ssl->connection); | |
473 | 3172 |
547 | 3173 if (c->ssl->no_wait_shutdown) { |
3174 mode |= SSL_RECEIVED_SHUTDOWN; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3175 } |
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3176 |
547 | 3177 if (c->ssl->no_send_shutdown) { |
3178 mode |= SSL_SENT_SHUTDOWN; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3179 } |
4064
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3180 |
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3181 if (c->ssl->no_wait_shutdown && c->ssl->no_send_shutdown) { |
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3182 SSL_set_quiet_shutdown(c->ssl->connection, 1); |
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3183 } |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3184 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3185 |
547 | 3186 SSL_set_shutdown(c->ssl->connection, mode); |
3187 | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3188 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3189 |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3190 tries = 2; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3191 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3192 for ( ;; ) { |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3193 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3194 /* |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3195 * For bidirectional shutdown, SSL_shutdown() needs to be called |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3196 * twice: first call sends the "close notify" alert and returns 0, |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3197 * second call waits for the peer's "close notify" alert. |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3198 */ |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3199 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3200 n = SSL_shutdown(c->ssl->connection); |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3201 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3202 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3203 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3204 if (n == 1) { |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3205 goto done; |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3206 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3207 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3208 if (n == 0 && tries-- > 1) { |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3209 continue; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3210 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3211 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3212 /* before 0.9.8m SSL_shutdown() returned 0 instead of -1 on errors */ |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3213 |
543 | 3214 sslerr = SSL_get_error(c->ssl->connection, n); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3215 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3216 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3217 "SSL_get_error: %d", sslerr); |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3218 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3219 if (sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE) { |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3220 c->read->handler = ngx_ssl_shutdown_handler; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3221 c->write->handler = ngx_ssl_shutdown_handler; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3222 |
7707
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3223 if (sslerr == SSL_ERROR_WANT_READ) { |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3224 c->read->ready = 0; |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3225 |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3226 } else { |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3227 c->write->ready = 0; |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3228 } |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3229 |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3230 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3231 goto failed; |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3232 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3233 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3234 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3235 goto failed; |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3236 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3237 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3238 ngx_add_timer(c->read, 3000); |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3239 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3240 return NGX_AGAIN; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3241 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3242 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3243 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3244 goto done; |
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3245 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3246 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3247 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3248 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3249 ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed"); |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3250 |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3251 break; |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3252 } |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3253 |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3254 failed: |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3255 |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3256 rc = NGX_ERROR; |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3257 |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3258 done: |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3259 |
7871
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3260 if (c->ssl->shutdown_without_free) { |
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3261 c->ssl->shutdown_without_free = 0; |
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3262 c->recv = ngx_recv; |
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3263 return rc; |
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3264 } |
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3265 |
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3266 SSL_free(c->ssl->connection); |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3267 c->ssl = NULL; |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3268 c->recv = ngx_recv; |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3269 |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3270 return rc; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3271 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3272 |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3273 |
547 | 3274 static void |
577 | 3275 ngx_ssl_shutdown_handler(ngx_event_t *ev) |
3276 { | |
3277 ngx_connection_t *c; | |
3278 ngx_connection_handler_pt handler; | |
3279 | |
3280 c = ev->data; | |
3281 handler = c->ssl->handler; | |
3282 | |
3283 if (ev->timedout) { | |
3284 c->timedout = 1; | |
3285 } | |
3286 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3287 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler"); |
577 | 3288 |
3289 if (ngx_ssl_shutdown(c) == NGX_AGAIN) { | |
3290 return; | |
3291 } | |
3292 | |
3293 handler(c); | |
3294 } | |
3295 | |
3296 | |
3297 static void | |
547 | 3298 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, |
3299 char *text) | |
3300 { | |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3301 int n; |
547 | 3302 ngx_uint_t level; |
3303 | |
3304 level = NGX_LOG_CRIT; | |
3305 | |
3306 if (sslerr == SSL_ERROR_SYSCALL) { | |
3307 | |
3308 if (err == NGX_ECONNRESET | |
7560
2432a687e789
SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7509
diff
changeset
|
3309 #if (NGX_WIN32) |
2432a687e789
SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7509
diff
changeset
|
3310 || err == NGX_ECONNABORTED |
2432a687e789
SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7509
diff
changeset
|
3311 #endif |
547 | 3312 || err == NGX_EPIPE |
3313 || err == NGX_ENOTCONN | |
589 | 3314 || err == NGX_ETIMEDOUT |
547 | 3315 || err == NGX_ECONNREFUSED |
1869
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
3316 || err == NGX_ENETDOWN |
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
3317 || err == NGX_ENETUNREACH |
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
3318 || err == NGX_EHOSTDOWN |
547 | 3319 || err == NGX_EHOSTUNREACH) |
3320 { | |
3321 switch (c->log_error) { | |
3322 | |
3323 case NGX_ERROR_IGNORE_ECONNRESET: | |
3324 case NGX_ERROR_INFO: | |
3325 level = NGX_LOG_INFO; | |
3326 break; | |
3327 | |
3328 case NGX_ERROR_ERR: | |
3329 level = NGX_LOG_ERR; | |
3330 break; | |
3331 | |
3332 default: | |
3333 break; | |
3334 } | |
3335 } | |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3336 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3337 } else if (sslerr == SSL_ERROR_SSL) { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3338 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3339 n = ERR_GET_REASON(ERR_peek_error()); |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3340 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3341 /* handshake failures */ |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3342 if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */ |
7360
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3343 #ifdef SSL_R_NO_SUITABLE_KEY_SHARE |
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3344 || n == SSL_R_NO_SUITABLE_KEY_SHARE /* 101 */ |
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3345 #endif |
8054
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3346 #ifdef SSL_R_BAD_KEY_SHARE |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3347 || n == SSL_R_BAD_KEY_SHARE /* 108 */ |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3348 #endif |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3349 #ifdef SSL_R_BAD_EXTENSION |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3350 || n == SSL_R_BAD_EXTENSION /* 110 */ |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3351 #endif |
7361
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3352 #ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM |
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3353 || n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM /* 118 */ |
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3354 #endif |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3355 || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ |
3718
bfd84b583868
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3516
diff
changeset
|
3356 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3357 || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3358 || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ |
7311
778358452a81
SSL: logging level of "https proxy request" errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7291
diff
changeset
|
3359 || n == SSL_R_HTTPS_PROXY_REQUEST /* 155 */ |
778358452a81
SSL: logging level of "https proxy request" errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7291
diff
changeset
|
3360 || n == SSL_R_HTTP_REQUEST /* 156 */ |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
3361 || n == SSL_R_LENGTH_MISMATCH /* 159 */ |
6652
1891b2892b68
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6591
diff
changeset
|
3362 #ifdef SSL_R_NO_CIPHERS_PASSED |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3363 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ |
6652
1891b2892b68
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6591
diff
changeset
|
3364 #endif |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
3365 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ |
8054
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3366 #ifdef SSL_R_BAD_CIPHER |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3367 || n == SSL_R_BAD_CIPHER /* 186 */ |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3368 #endif |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3369 || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3370 || n == SSL_R_NO_SHARED_CIPHER /* 193 */ |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
3371 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ |
7472
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3372 #ifdef SSL_R_CLIENTHELLO_TLSEXT |
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3373 || n == SSL_R_CLIENTHELLO_TLSEXT /* 226 */ |
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3374 #endif |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3375 #ifdef SSL_R_PARSE_TLSEXT |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3376 || n == SSL_R_PARSE_TLSEXT /* 227 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3377 #endif |
7472
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3378 #ifdef SSL_R_CALLBACK_FAILED |
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3379 || n == SSL_R_CALLBACK_FAILED /* 234 */ |
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3380 #endif |
7936
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
3381 #ifdef SSL_R_NO_APPLICATION_PROTOCOL |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
3382 || n == SSL_R_NO_APPLICATION_PROTOCOL /* 235 */ |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
3383 #endif |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3384 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3385 || n == SSL_R_UNEXPECTED_RECORD /* 245 */ |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
3386 || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */ |
3357
fc735aa50b8b
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3300
diff
changeset
|
3387 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ |
7361
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3388 #ifdef SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS |
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3389 || n == SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS /* 253 */ |
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3390 #endif |
7317
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
3391 || n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */ |
7360
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3392 #ifdef SSL_R_NO_SHARED_GROUP |
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3393 || n == SSL_R_NO_SHARED_GROUP /* 266 */ |
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3394 #endif |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3395 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3396 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ |
8009
a736a7a613ea
SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents:
7997
diff
changeset
|
3397 #ifdef SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY |
a736a7a613ea
SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents:
7997
diff
changeset
|
3398 || n == SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY /* 291 */ |
a736a7a613ea
SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents:
7997
diff
changeset
|
3399 #endif |
a736a7a613ea
SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents:
7997
diff
changeset
|
3400 #ifdef SSL_R_APPLICATION_DATA_ON_SHUTDOWN |
a736a7a613ea
SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents:
7997
diff
changeset
|
3401 || n == SSL_R_APPLICATION_DATA_ON_SHUTDOWN /* 291 */ |
a736a7a613ea
SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents:
7997
diff
changeset
|
3402 #endif |
8054
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3403 #ifdef SSL_R_BAD_ECPOINT |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3404 || n == SSL_R_BAD_ECPOINT /* 306 */ |
cac164d0807e
SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8009
diff
changeset
|
3405 #endif |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3406 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3407 || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG /* 335 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3408 || n == SSL_R_RENEGOTIATION_ENCODING_ERR /* 336 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3409 || n == SSL_R_RENEGOTIATION_MISMATCH /* 337 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3410 #endif |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3411 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3412 || n == SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED /* 338 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3413 #endif |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3414 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3415 || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3416 #endif |
5902
b7a37f6a25ea
SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5892
diff
changeset
|
3417 #ifdef SSL_R_INAPPROPRIATE_FALLBACK |
b7a37f6a25ea
SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5892
diff
changeset
|
3418 || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */ |
b7a37f6a25ea
SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5892
diff
changeset
|
3419 #endif |
7461
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
3420 #ifdef SSL_R_CERT_CB_ERROR |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
3421 || n == SSL_R_CERT_CB_ERROR /* 377 */ |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
3422 #endif |
7317
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
3423 #ifdef SSL_R_VERSION_TOO_LOW |
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
3424 || n == SSL_R_VERSION_TOO_LOW /* 396 */ |
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
3425 #endif |
8063
9cf231508a8d
SSL: logging level of "bad record type" errors.
Murilo Andrade <murilo.b.andrade@gmail.com>
parents:
8054
diff
changeset
|
3426 #ifdef SSL_R_BAD_RECORD_TYPE |
9cf231508a8d
SSL: logging level of "bad record type" errors.
Murilo Andrade <murilo.b.andrade@gmail.com>
parents:
8054
diff
changeset
|
3427 || n == SSL_R_BAD_RECORD_TYPE /* 443 */ |
9cf231508a8d
SSL: logging level of "bad record type" errors.
Murilo Andrade <murilo.b.andrade@gmail.com>
parents:
8054
diff
changeset
|
3428 #endif |
1877
a55876dff8f5
low SSL handshake close notify alert error level
Igor Sysoev <igor@sysoev.ru>
parents:
1876
diff
changeset
|
3429 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ |
6486
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3430 #ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3431 || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3432 || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3433 || n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3434 || n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3435 || n == SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE /* 1030 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3436 || n == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE /* 1040 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3437 || n == SSL_R_SSLV3_ALERT_NO_CERTIFICATE /* 1041 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3438 || n == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE /* 1042 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3439 || n == SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE /* 1043 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3440 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED /* 1044 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3441 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED /* 1045 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3442 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN /* 1046 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3443 || n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER /* 1047 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3444 || n == SSL_R_TLSV1_ALERT_UNKNOWN_CA /* 1048 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3445 || n == SSL_R_TLSV1_ALERT_ACCESS_DENIED /* 1049 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3446 || n == SSL_R_TLSV1_ALERT_DECODE_ERROR /* 1050 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3447 || n == SSL_R_TLSV1_ALERT_DECRYPT_ERROR /* 1051 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3448 || n == SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION /* 1060 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3449 || n == SSL_R_TLSV1_ALERT_PROTOCOL_VERSION /* 1070 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3450 || n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3451 || n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3452 || n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */ |
6486
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3453 || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION /* 1100 */ |
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3454 #endif |
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3455 ) |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3456 { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3457 switch (c->log_error) { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3458 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3459 case NGX_ERROR_IGNORE_ECONNRESET: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3460 case NGX_ERROR_INFO: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3461 level = NGX_LOG_INFO; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3462 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3463 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3464 case NGX_ERROR_ERR: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3465 level = NGX_LOG_ERR; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3466 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3467 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3468 default: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3469 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3470 } |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3471 } |
547 | 3472 } |
3473 | |
3474 ngx_ssl_error(level, c->log, err, text); | |
3475 } | |
3476 | |
3477 | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3478 static void |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3479 ngx_ssl_clear_error(ngx_log_t *log) |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3480 { |
1868 | 3481 while (ERR_peek_error()) { |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3482 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error"); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3483 } |
1868 | 3484 |
3485 ERR_clear_error(); | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3486 } |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3487 |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3488 |
583 | 3489 void ngx_cdecl |
489 | 3490 ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...) |
577 | 3491 { |
4877
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3492 int flags; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3493 u_long n; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3494 va_list args; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3495 u_char *p, *last; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3496 u_char errstr[NGX_MAX_CONF_ERRSTR]; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3497 const char *data; |
461 | 3498 |
3499 last = errstr + NGX_MAX_CONF_ERRSTR; | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3500 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3501 va_start(args, fmt); |
2764
d4a717592877
use ngx_vslprintf(), ngx_slprintf()
Igor Sysoev <igor@sysoev.ru>
parents:
2720
diff
changeset
|
3502 p = ngx_vslprintf(errstr, last - 1, fmt, args); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3503 va_end(args); |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3504 |
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3505 if (ERR_peek_error()) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3506 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3507 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3508 for ( ;; ) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3509 |
7897
4195a6f0c61c
SSL: ERR_peek_error_line_data() compatibility with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7896
diff
changeset
|
3510 n = ERR_peek_error_data(&data, &flags); |
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3511 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3512 if (n == 0) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3513 break; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3514 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3515 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3516 /* ERR_error_string_n() requires at least one byte */ |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3517 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3518 if (p >= last - 1) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3519 goto next; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3520 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3521 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3522 *p++ = ' '; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3523 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3524 ERR_error_string_n(n, (char *) p, last - p); |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3525 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3526 while (p < last && *p) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3527 p++; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3528 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3529 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3530 if (p < last && *data && (flags & ERR_TXT_STRING)) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3531 *p++ = ':'; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3532 p = ngx_cpystrn(p, (u_char *) data, last - p); |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3533 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3534 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3535 next: |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3536 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3537 (void) ERR_get_error(); |
1861 | 3538 } |
3539 | |
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3540 if (p < last) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3541 *p++ = ')'; |
547 | 3542 } |
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3543 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3544 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3545 ngx_log_error(level, log, err, "%*s", p - errstr, errstr); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3546 } |
509 | 3547 |
3548 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3549 ngx_int_t |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3550 ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3551 ngx_array_t *certificates, ssize_t builtin_session_cache, |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3552 ngx_shm_zone_t *shm_zone, time_t timeout) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3553 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3554 long cache_mode; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3555 |
5424
767aa37f12de
SSL: SSL_CTX_set_timeout() now always called.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5423
diff
changeset
|
3556 SSL_CTX_set_timeout(ssl->ctx, (long) timeout); |
767aa37f12de
SSL: SSL_CTX_set_timeout() now always called.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5423
diff
changeset
|
3557 |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3558 if (ngx_ssl_session_id_context(ssl, sess_ctx, certificates) != NGX_OK) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3559 return NGX_ERROR; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3560 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3561 |
1778 | 3562 if (builtin_session_cache == NGX_SSL_NO_SCACHE) { |
3563 SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF); | |
3564 return NGX_OK; | |
3565 } | |
3566 | |
2032 | 3567 if (builtin_session_cache == NGX_SSL_NONE_SCACHE) { |
3568 | |
3569 /* | |
3570 * If the server explicitly says that it does not support | |
3571 * session reuse (see SSL_SESS_CACHE_OFF above), then | |
3572 * Outlook Express fails to upload a sent email to | |
3573 * the Sent Items folder on the IMAP server via a separate IMAP | |
6552 | 3574 * connection in the background. Therefore we have a special |
2032 | 3575 * mode (SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE) |
3576 * where the server pretends that it supports session reuse, | |
3577 * but it does not actually store any session. | |
3578 */ | |
3579 | |
3580 SSL_CTX_set_session_cache_mode(ssl->ctx, | |
3581 SSL_SESS_CACHE_SERVER | |
3582 |SSL_SESS_CACHE_NO_AUTO_CLEAR | |
3583 |SSL_SESS_CACHE_NO_INTERNAL_STORE); | |
3584 | |
3585 SSL_CTX_sess_set_cache_size(ssl->ctx, 1); | |
3586 | |
3587 return NGX_OK; | |
3588 } | |
3589 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3590 cache_mode = SSL_SESS_CACHE_SERVER; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3591 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3592 if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3593 cache_mode |= SSL_SESS_CACHE_NO_INTERNAL; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3594 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3595 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3596 SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3597 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3598 if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3599 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3600 if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3601 SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3602 } |
1015
32ebb6b13ff3
ssl_session_timeout was set only if builtin cache was used
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
3603 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3604 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3605 if (shm_zone) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3606 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3607 SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3608 SSL_CTX_sess_set_remove_cb(ssl->ctx, ngx_ssl_remove_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3609 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3610 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_cache_index, shm_zone) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3611 == 0) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3612 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3613 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3614 "SSL_CTX_set_ex_data() failed"); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3615 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3616 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3617 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3618 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3619 return NGX_OK; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3620 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3621 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3622 |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3623 static ngx_int_t |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3624 ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3625 ngx_array_t *certificates) |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3626 { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3627 int n, i; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3628 X509 *cert; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3629 X509_NAME *name; |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3630 ngx_str_t *certs; |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3631 ngx_uint_t k; |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3632 EVP_MD_CTX *md; |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3633 unsigned int len; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3634 STACK_OF(X509_NAME) *list; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3635 u_char buf[EVP_MAX_MD_SIZE]; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3636 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3637 /* |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3638 * Session ID context is set based on the string provided, |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3639 * the server certificates, and the client CA list. |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3640 */ |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3641 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3642 md = EVP_MD_CTX_create(); |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3643 if (md == NULL) { |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3644 return NGX_ERROR; |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3645 } |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3646 |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3647 if (EVP_DigestInit_ex(md, EVP_sha1(), NULL) == 0) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3648 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3649 "EVP_DigestInit_ex() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3650 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3651 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3652 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3653 if (EVP_DigestUpdate(md, sess_ctx->data, sess_ctx->len) == 0) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3654 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3655 "EVP_DigestUpdate() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3656 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3657 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3658 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3659 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3660 cert; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3661 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3662 { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3663 if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3664 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3665 "X509_digest() failed"); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3666 goto failed; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3667 } |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3668 |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3669 if (EVP_DigestUpdate(md, buf, len) == 0) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3670 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3671 "EVP_DigestUpdate() failed"); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3672 goto failed; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3673 } |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3674 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3675 |
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
3676 if (SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index) == NULL |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
3677 && certificates != NULL) |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
3678 { |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3679 /* |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3680 * If certificates are loaded dynamically, we use certificate |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3681 * names as specified in the configuration (with variables). |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3682 */ |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3683 |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3684 certs = certificates->elts; |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3685 for (k = 0; k < certificates->nelts; k++) { |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3686 |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3687 if (EVP_DigestUpdate(md, certs[k].data, certs[k].len) == 0) { |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3688 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3689 "EVP_DigestUpdate() failed"); |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3690 goto failed; |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3691 } |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3692 } |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3693 } |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3694 |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3695 list = SSL_CTX_get_client_CA_list(ssl->ctx); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3696 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3697 if (list != NULL) { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3698 n = sk_X509_NAME_num(list); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3699 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3700 for (i = 0; i < n; i++) { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3701 name = sk_X509_NAME_value(list, i); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3702 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3703 if (X509_NAME_digest(name, EVP_sha1(), buf, &len) == 0) { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3704 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3705 "X509_NAME_digest() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3706 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3707 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3708 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3709 if (EVP_DigestUpdate(md, buf, len) == 0) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3710 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3711 "EVP_DigestUpdate() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3712 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3713 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3714 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3715 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3716 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3717 if (EVP_DigestFinal_ex(md, buf, &len) == 0) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3718 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
7455
992bf7540a98
SSL: fixed EVP_DigestFinal_ex() error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7454
diff
changeset
|
3719 "EVP_DigestFinal_ex() failed"); |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3720 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3721 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3722 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3723 EVP_MD_CTX_destroy(md); |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3724 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3725 if (SSL_CTX_set_session_id_context(ssl->ctx, buf, len) == 0) { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3726 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3727 "SSL_CTX_set_session_id_context() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3728 return NGX_ERROR; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3729 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3730 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3731 return NGX_OK; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3732 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3733 failed: |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3734 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3735 EVP_MD_CTX_destroy(md); |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3736 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3737 return NGX_ERROR; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3738 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3739 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3740 |
3992
a1dd9dc754ab
A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents:
3962
diff
changeset
|
3741 ngx_int_t |
993
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3742 ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3743 { |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3744 size_t len; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3745 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3746 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3747 |
993
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3748 if (data) { |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3749 shm_zone->data = data; |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3750 return NGX_OK; |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3751 } |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3752 |
5640
4c6ceca4f5f7
Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5634
diff
changeset
|
3753 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
4c6ceca4f5f7
Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5634
diff
changeset
|
3754 |
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3755 if (shm_zone->shm.exists) { |
5640
4c6ceca4f5f7
Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5634
diff
changeset
|
3756 shm_zone->data = shpool->data; |
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3757 return NGX_OK; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3758 } |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3759 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3760 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t)); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3761 if (cache == NULL) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3762 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3763 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3764 |
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3765 shpool->data = cache; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3766 shm_zone->data = cache; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3767 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3768 ngx_rbtree_init(&cache->session_rbtree, &cache->sentinel, |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3769 ngx_ssl_session_rbtree_insert_value); |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3770 |
1760 | 3771 ngx_queue_init(&cache->expire_queue); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3772 |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
3773 len = sizeof(" in SSL session shared cache \"\"") + shm_zone->shm.name.len; |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3774 |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3775 shpool->log_ctx = ngx_slab_alloc(shpool, len); |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3776 if (shpool->log_ctx == NULL) { |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3777 return NGX_ERROR; |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3778 } |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3779 |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3780 ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z", |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
3781 &shm_zone->shm.name); |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3782 |
5634
5024d29354f1
Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
3783 shpool->log_nomem = 0; |
5024d29354f1
Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
3784 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3785 return NGX_OK; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3786 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3787 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3788 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3789 /* |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3790 * The length of the session id is 16 bytes for SSLv2 sessions and |
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3791 * between 1 and 32 bytes for SSLv3/TLSv1, typically 32 bytes. |
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3792 * It seems that the typical length of the external ASN1 representation |
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3793 * of a session is 118 or 119 bytes for SSLv3/TSLv1. |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3794 * |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3795 * Thus on 32-bit platforms we allocate separately an rbtree node, |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3796 * a session id, and an ASN1 representation, they take accordingly |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3797 * 64, 32, and 128 bytes. |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3798 * |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3799 * On 64-bit platforms we allocate separately an rbtree node + session_id, |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3800 * and an ASN1 representation, they take accordingly 128 and 128 bytes. |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3801 * |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3802 * OpenSSL's i2d_SSL_SESSION() and d2i_SSL_SESSION are slow, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3803 * so they are outside the code locked by shared pool mutex |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3804 */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3805 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3806 static int |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3807 ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3808 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3809 int len; |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3810 u_char *p, *id, *cached_sess, *session_id; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3811 uint32_t hash; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3812 SSL_CTX *ssl_ctx; |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3813 unsigned int session_id_length; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3814 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3815 ngx_connection_t *c; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3816 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3817 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3818 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3819 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3820 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3821 len = i2d_SSL_SESSION(sess, NULL); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3822 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3823 /* do not cache too big session */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3824 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3825 if (len > (int) NGX_SSL_MAX_SESSION_SIZE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3826 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3827 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3828 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3829 p = buf; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3830 i2d_SSL_SESSION(sess, &p); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3831 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3832 c = ngx_ssl_get_connection(ssl_conn); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3833 |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
3834 ssl_ctx = c->ssl->session_ctx; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3835 shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3836 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3837 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3838 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3839 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3840 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3841 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3842 /* drop one or two expired sessions */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3843 ngx_ssl_expire_sessions(cache, shpool, 1); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3844 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3845 cached_sess = ngx_slab_alloc_locked(shpool, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3846 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3847 if (cached_sess == NULL) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3848 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3849 /* drop the oldest non-expired session and try once more */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3850 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3851 ngx_ssl_expire_sessions(cache, shpool, 0); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3852 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3853 cached_sess = ngx_slab_alloc_locked(shpool, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3854 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3855 if (cached_sess == NULL) { |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3856 sess_id = NULL; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3857 goto failed; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3858 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3859 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3860 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3861 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t)); |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3862 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3863 if (sess_id == NULL) { |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3864 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3865 /* drop the oldest non-expired session and try once more */ |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3866 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3867 ngx_ssl_expire_sessions(cache, shpool, 0); |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3868 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3869 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t)); |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3870 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3871 if (sess_id == NULL) { |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3872 goto failed; |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3873 } |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3874 } |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3875 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3876 session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length); |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3877 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3878 #if (NGX_PTR_SIZE == 8) |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3879 |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3880 id = sess_id->sess_id; |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3881 |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3882 #else |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3883 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3884 id = ngx_slab_alloc_locked(shpool, session_id_length); |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3885 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3886 if (id == NULL) { |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3887 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3888 /* drop the oldest non-expired session and try once more */ |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3889 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3890 ngx_ssl_expire_sessions(cache, shpool, 0); |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3891 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3892 id = ngx_slab_alloc_locked(shpool, session_id_length); |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3893 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3894 if (id == NULL) { |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3895 goto failed; |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3896 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3897 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3898 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3899 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3900 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3901 ngx_memcpy(cached_sess, buf, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3902 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3903 ngx_memcpy(id, session_id, session_id_length); |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3904 |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3905 hash = ngx_crc32_short(session_id, session_id_length); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3906 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3907 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3908 "ssl new session: %08XD:%ud:%d", |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3909 hash, session_id_length, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3910 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3911 sess_id->node.key = hash; |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3912 sess_id->node.data = (u_char) session_id_length; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3913 sess_id->id = id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3914 sess_id->len = len; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3915 sess_id->session = cached_sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3916 |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
3917 sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3918 |
1760 | 3919 ngx_queue_insert_head(&cache->expire_queue, &sess_id->queue); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3920 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3921 ngx_rbtree_insert(&cache->session_rbtree, &sess_id->node); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3922 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3923 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3924 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3925 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3926 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3927 failed: |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3928 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3929 if (cached_sess) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3930 ngx_slab_free_locked(shpool, cached_sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3931 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3932 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3933 if (sess_id) { |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3934 ngx_slab_free_locked(shpool, sess_id); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3935 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3936 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3937 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3938 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3939 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
5634
5024d29354f1
Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
3940 "could not allocate new session%s", shpool->log_ctx); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3941 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3942 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3943 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3944 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3945 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3946 static ngx_ssl_session_t * |
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3947 ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3948 #if OPENSSL_VERSION_NUMBER >= 0x10100003L |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3949 const |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3950 #endif |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3951 u_char *id, int len, int *copy) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3952 { |
7365
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
3953 size_t slen; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3954 uint32_t hash; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3955 ngx_int_t rc; |
7509
b99cbafd51da
SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7484
diff
changeset
|
3956 const u_char *p; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3957 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3958 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3959 ngx_rbtree_node_t *node, *sentinel; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3960 ngx_ssl_session_t *sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3961 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3962 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3963 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; |
3961
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
3964 ngx_connection_t *c; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3965 |
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3966 hash = ngx_crc32_short((u_char *) (uintptr_t) id, (size_t) len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3967 *copy = 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3968 |
3961
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
3969 c = ngx_ssl_get_connection(ssl_conn); |
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
3970 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3971 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
3155 | 3972 "ssl get session: %08XD:%d", hash, len); |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
3973 |
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
3974 shm_zone = SSL_CTX_get_ex_data(c->ssl->session_ctx, |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3975 ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3976 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3977 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3978 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3979 sess = NULL; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3980 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3981 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3982 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3983 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3984 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3985 node = cache->session_rbtree.root; |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3986 sentinel = cache->session_rbtree.sentinel; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3987 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3988 while (node != sentinel) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3989 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3990 if (hash < node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3991 node = node->left; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3992 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3993 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3994 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3995 if (hash > node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3996 node = node->right; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3997 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3998 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3999 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4000 /* hash == node->key */ |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4001 |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4002 sess_id = (ngx_ssl_sess_id_t *) node; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4003 |
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
4004 rc = ngx_memn2cmp((u_char *) (uintptr_t) id, sess_id->id, |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
4005 (size_t) len, (size_t) node->data); |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4006 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4007 if (rc == 0) { |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4008 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4009 if (sess_id->expire > ngx_time()) { |
7365
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
4010 slen = sess_id->len; |
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
4011 |
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
4012 ngx_memcpy(buf, sess_id->session, slen); |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4013 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4014 ngx_shmtx_unlock(&shpool->mutex); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4015 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4016 p = buf; |
7365
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
4017 sess = d2i_SSL_SESSION(NULL, &p, slen); |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4018 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4019 return sess; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4020 } |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4021 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4022 ngx_queue_remove(&sess_id->queue); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4023 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4024 ngx_rbtree_delete(&cache->session_rbtree, node); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4025 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4026 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4027 #if (NGX_PTR_SIZE == 4) |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4028 ngx_slab_free_locked(shpool, sess_id->id); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4029 #endif |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4030 ngx_slab_free_locked(shpool, sess_id); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4031 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4032 sess = NULL; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4033 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4034 goto done; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4035 } |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4036 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4037 node = (rc < 0) ? node->left : node->right; |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4038 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4039 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4040 done: |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4041 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4042 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4043 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4044 return sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4045 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4046 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4047 |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4048 void |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4049 ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4050 { |
6474 | 4051 SSL_CTX_remove_session(ssl, sess); |
4052 | |
4053 ngx_ssl_remove_session(ssl, sess); | |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4054 } |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4055 |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4056 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4057 static void |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4058 ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4059 { |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4060 u_char *id; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4061 uint32_t hash; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4062 ngx_int_t rc; |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4063 unsigned int len; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4064 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4065 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4066 ngx_rbtree_node_t *node, *sentinel; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4067 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4068 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4069 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4070 shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4071 |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4072 if (shm_zone == NULL) { |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4073 return; |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4074 } |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4075 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4076 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4077 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4078 id = (u_char *) SSL_SESSION_get_id(sess, &len); |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4079 |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4080 hash = ngx_crc32_short(id, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4081 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4082 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4083 "ssl remove session: %08XD:%ud", hash, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4084 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4085 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4086 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4087 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4088 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
4089 node = cache->session_rbtree.root; |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
4090 sentinel = cache->session_rbtree.sentinel; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4091 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4092 while (node != sentinel) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4093 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4094 if (hash < node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4095 node = node->left; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4096 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4097 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4098 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4099 if (hash > node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4100 node = node->right; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4101 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4102 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4103 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4104 /* hash == node->key */ |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4105 |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4106 sess_id = (ngx_ssl_sess_id_t *) node; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4107 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4108 rc = ngx_memn2cmp(id, sess_id->id, len, (size_t) node->data); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4109 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4110 if (rc == 0) { |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4111 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4112 ngx_queue_remove(&sess_id->queue); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4113 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4114 ngx_rbtree_delete(&cache->session_rbtree, node); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4115 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4116 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4117 #if (NGX_PTR_SIZE == 4) |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4118 ngx_slab_free_locked(shpool, sess_id->id); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4119 #endif |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4120 ngx_slab_free_locked(shpool, sess_id); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4121 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4122 goto done; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4123 } |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4124 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4125 node = (rc < 0) ? node->left : node->right; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4126 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4127 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4128 done: |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4129 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4130 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4131 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4132 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4133 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4134 static void |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4135 ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4136 ngx_slab_pool_t *shpool, ngx_uint_t n) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4137 { |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
4138 time_t now; |
1760 | 4139 ngx_queue_t *q; |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
4140 ngx_ssl_sess_id_t *sess_id; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4141 |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
4142 now = ngx_time(); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4143 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4144 while (n < 3) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4145 |
1760 | 4146 if (ngx_queue_empty(&cache->expire_queue)) { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4147 return; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4148 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4149 |
1760 | 4150 q = ngx_queue_last(&cache->expire_queue); |
4151 | |
4152 sess_id = ngx_queue_data(q, ngx_ssl_sess_id_t, queue); | |
4153 | |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
4154 if (n++ != 0 && sess_id->expire > now) { |
1439 | 4155 return; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4156 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4157 |
1760 | 4158 ngx_queue_remove(q); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4159 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4160 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4161 "expire session: %08Xi", sess_id->node.key); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4162 |
1760 | 4163 ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node); |
4164 | |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
4165 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4166 #if (NGX_PTR_SIZE == 4) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4167 ngx_slab_free_locked(shpool, sess_id->id); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4168 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4169 ngx_slab_free_locked(shpool, sess_id); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4170 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4171 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4172 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4173 |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4174 static void |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4175 ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4176 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel) |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4177 { |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4178 ngx_rbtree_node_t **p; |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4179 ngx_ssl_sess_id_t *sess_id, *sess_id_temp; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4180 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4181 for ( ;; ) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4182 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4183 if (node->key < temp->key) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4184 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4185 p = &temp->left; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4186 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4187 } else if (node->key > temp->key) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4188 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4189 p = &temp->right; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4190 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4191 } else { /* node->key == temp->key */ |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4192 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4193 sess_id = (ngx_ssl_sess_id_t *) node; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4194 sess_id_temp = (ngx_ssl_sess_id_t *) temp; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4195 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4196 p = (ngx_memn2cmp(sess_id->id, sess_id_temp->id, |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4197 (size_t) node->data, (size_t) temp->data) |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4198 < 0) ? &temp->left : &temp->right; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4199 } |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4200 |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4201 if (*p == sentinel) { |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4202 break; |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4203 } |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4204 |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4205 temp = *p; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4206 } |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4207 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4208 *p = node; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4209 node->parent = temp; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4210 node->left = sentinel; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4211 node->right = sentinel; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4212 ngx_rbt_red(node); |
1043
7073b87fa8e9
style fix: remove trailing spaces
Igor Sysoev <igor@sysoev.ru>
parents:
1029
diff
changeset
|
4213 } |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4214 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4215 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4216 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4217 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4218 ngx_int_t |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4219 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4220 { |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4221 u_char buf[80]; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4222 size_t size; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4223 ssize_t n; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4224 ngx_str_t *path; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4225 ngx_file_t file; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4226 ngx_uint_t i; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4227 ngx_array_t *keys; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4228 ngx_file_info_t fi; |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4229 ngx_pool_cleanup_t *cln; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4230 ngx_ssl_session_ticket_key_t *key; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4231 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4232 if (paths == NULL) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4233 return NGX_OK; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4234 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4235 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4236 keys = ngx_array_create(cf->pool, paths->nelts, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4237 sizeof(ngx_ssl_session_ticket_key_t)); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4238 if (keys == NULL) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4239 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4240 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4241 |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4242 cln = ngx_pool_cleanup_add(cf->pool, 0); |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4243 if (cln == NULL) { |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4244 return NGX_ERROR; |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4245 } |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4246 |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4247 cln->handler = ngx_ssl_session_ticket_keys_cleanup; |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4248 cln->data = keys; |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4249 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4250 path = paths->elts; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4251 for (i = 0; i < paths->nelts; i++) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4252 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4253 if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4254 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4255 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4256 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4257 ngx_memzero(&file, sizeof(ngx_file_t)); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4258 file.name = path[i]; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4259 file.log = cf->log; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4260 |
7087
47b7ffc3339d
Fixed calls to ngx_open_file() in certain places.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7086
diff
changeset
|
4261 file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, |
47b7ffc3339d
Fixed calls to ngx_open_file() in certain places.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7086
diff
changeset
|
4262 NGX_FILE_OPEN, 0); |
7086 | 4263 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4264 if (file.fd == NGX_INVALID_FILE) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4265 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4266 ngx_open_file_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4267 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4268 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4269 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4270 if (ngx_fd_info(file.fd, &fi) == NGX_FILE_ERROR) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4271 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4272 ngx_fd_info_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4273 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4274 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4275 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4276 size = ngx_file_size(&fi); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4277 |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4278 if (size != 48 && size != 80) { |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4279 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4280 "\"%V\" must be 48 or 80 bytes", &file.name); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4281 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4282 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4283 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4284 n = ngx_read_file(&file, buf, size, 0); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4285 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4286 if (n == NGX_ERROR) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4287 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4288 ngx_read_file_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4289 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4290 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4291 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4292 if ((size_t) n != size) { |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4293 ngx_conf_log_error(NGX_LOG_CRIT, cf, 0, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4294 ngx_read_file_n " \"%V\" returned only " |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4295 "%z bytes instead of %uz", &file.name, n, size); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4296 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4297 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4298 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4299 key = ngx_array_push(keys); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4300 if (key == NULL) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4301 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4302 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4303 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4304 if (size == 48) { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4305 key->size = 48; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4306 ngx_memcpy(key->name, buf, 16); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4307 ngx_memcpy(key->aes_key, buf + 16, 16); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4308 ngx_memcpy(key->hmac_key, buf + 32, 16); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4309 |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4310 } else { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4311 key->size = 80; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4312 ngx_memcpy(key->name, buf, 16); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4313 ngx_memcpy(key->hmac_key, buf + 16, 32); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4314 ngx_memcpy(key->aes_key, buf + 48, 32); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4315 } |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4316 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4317 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4318 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4319 ngx_close_file_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4320 } |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4321 |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4322 ngx_explicit_memzero(&buf, 80); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4323 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4324 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4325 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4326 == 0) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4327 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4328 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4329 "SSL_CTX_set_ex_data() failed"); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4330 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4331 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4332 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4333 if (SSL_CTX_set_tlsext_ticket_key_cb(ssl->ctx, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4334 ngx_ssl_session_ticket_key_callback) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4335 == 0) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4336 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4337 ngx_log_error(NGX_LOG_WARN, cf->log, 0, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4338 "nginx was built with Session Tickets support, however, " |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4339 "now it is linked dynamically to an OpenSSL library " |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4340 "which has no tlsext support, therefore Session Tickets " |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4341 "are not available"); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4342 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4343 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4344 return NGX_OK; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4345 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4346 failed: |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4347 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4348 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4349 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4350 ngx_close_file_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4351 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4352 |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4353 ngx_explicit_memzero(&buf, 80); |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4354 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4355 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4356 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4357 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4358 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4359 static int |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4360 ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4361 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4362 HMAC_CTX *hctx, int enc) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4363 { |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4364 size_t size; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4365 SSL_CTX *ssl_ctx; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4366 ngx_uint_t i; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4367 ngx_array_t *keys; |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
4368 ngx_connection_t *c; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4369 ngx_ssl_session_ticket_key_t *key; |
6686
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4370 const EVP_MD *digest; |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4371 const EVP_CIPHER *cipher; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4372 |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
4373 c = ngx_ssl_get_connection(ssl_conn); |
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
4374 ssl_ctx = c->ssl->session_ctx; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4375 |
6686
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4376 #ifdef OPENSSL_NO_SHA256 |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4377 digest = EVP_sha1(); |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4378 #else |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4379 digest = EVP_sha256(); |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4380 #endif |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4381 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4382 keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4383 if (keys == NULL) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4384 return -1; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4385 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4386 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4387 key = keys->elts; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4388 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4389 if (enc == 1) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4390 /* encrypt session ticket */ |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4391 |
5657
3b48f9e69e70
SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5640
diff
changeset
|
4392 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
7736
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7732
diff
changeset
|
4393 "ssl session ticket encrypt, key: \"%*xs\" (%s session)", |
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7732
diff
changeset
|
4394 (size_t) 16, key[0].name, |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4395 SSL_session_reused(ssl_conn) ? "reused" : "new"); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4396 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4397 if (key[0].size == 48) { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4398 cipher = EVP_aes_128_cbc(); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4399 size = 16; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4400 |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4401 } else { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4402 cipher = EVP_aes_256_cbc(); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4403 size = 32; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4404 } |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4405 |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4406 if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) { |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4407 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "RAND_bytes() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4408 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4409 } |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4410 |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4411 if (EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv) != 1) { |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4412 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4413 "EVP_EncryptInit_ex() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4414 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4415 } |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4416 |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4417 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4418 if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4419 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4420 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4421 } |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4422 #else |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4423 HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL); |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4424 #endif |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4425 |
5760
4b668378ad8b
Style: use ngx_memcpy() instead of memcpy().
Piotr Sikora <piotr@cloudflare.com>
parents:
5756
diff
changeset
|
4426 ngx_memcpy(name, key[0].name, 16); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4427 |
6660
3eb1a92a2f05
SSL: adopted session ticket handling for OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6659
diff
changeset
|
4428 return 1; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4429 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4430 } else { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4431 /* decrypt session ticket */ |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4432 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4433 for (i = 0; i < keys->nelts; i++) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4434 if (ngx_memcmp(name, key[i].name, 16) == 0) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4435 goto found; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4436 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4437 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4438 |
5657
3b48f9e69e70
SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5640
diff
changeset
|
4439 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
7736
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7732
diff
changeset
|
4440 "ssl session ticket decrypt, key: \"%*xs\" not found", |
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7732
diff
changeset
|
4441 (size_t) 16, name); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4442 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4443 return 0; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4444 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4445 found: |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4446 |
5657
3b48f9e69e70
SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5640
diff
changeset
|
4447 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
7736
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7732
diff
changeset
|
4448 "ssl session ticket decrypt, key: \"%*xs\"%s", |
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7732
diff
changeset
|
4449 (size_t) 16, key[i].name, (i == 0) ? " (default)" : ""); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4450 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4451 if (key[i].size == 48) { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4452 cipher = EVP_aes_128_cbc(); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4453 size = 16; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4454 |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4455 } else { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4456 cipher = EVP_aes_256_cbc(); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4457 size = 32; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4458 } |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4459 |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4460 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4461 if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4462 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4463 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4464 } |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4465 #else |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4466 HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL); |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4467 #endif |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4468 |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4469 if (EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv) != 1) { |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4470 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4471 "EVP_DecryptInit_ex() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4472 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4473 } |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4474 |
7997
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4475 /* renew if TLSv1.3 */ |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4476 |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4477 #ifdef TLS1_3_VERSION |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4478 if (SSL_version(ssl_conn) == TLS1_3_VERSION) { |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4479 return 2; |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4480 } |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4481 #endif |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4482 |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4483 /* renew if non-default key */ |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4484 |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4485 if (i != 0) { |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4486 return 2; |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4487 } |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4488 |
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4489 return 1; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4490 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4491 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4492 |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4493 |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4494 static void |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4495 ngx_ssl_session_ticket_keys_cleanup(void *data) |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4496 { |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4497 ngx_array_t *keys = data; |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4498 |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4499 ngx_explicit_memzero(keys->elts, |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4500 keys->nelts * sizeof(ngx_ssl_session_ticket_key_t)); |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4501 } |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4502 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4503 #else |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4504 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4505 ngx_int_t |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4506 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4507 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4508 if (paths) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4509 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
7074
07a49cce21ca
SSL: fixed typo in the error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6995
diff
changeset
|
4510 "\"ssl_session_ticket_key\" ignored, not supported"); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4511 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4512 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4513 return NGX_OK; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4514 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4515 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4516 #endif |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4517 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4518 |
509 | 4519 void |
4520 ngx_ssl_cleanup_ctx(void *data) | |
4521 { | |
589 | 4522 ngx_ssl_t *ssl = data; |
509 | 4523 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4524 X509 *cert, *next; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4525 |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4526 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4527 |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4528 while (cert) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4529 next = X509_get_ex_data(cert, ngx_ssl_next_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4530 X509_free(cert); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4531 cert = next; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4532 } |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4533 |
589 | 4534 SSL_CTX_free(ssl->ctx); |
509 | 4535 } |
541 | 4536 |
4537 | |
671 | 4538 ngx_int_t |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4539 ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name) |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4540 { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4541 X509 *cert; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4542 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4543 cert = SSL_get_peer_certificate(c->ssl->connection); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4544 if (cert == NULL) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4545 return NGX_ERROR; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4546 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4547 |
6725
9b9ae81cd4f0
SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6699
diff
changeset
|
4548 #ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4549 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4550 /* X509_check_host() is only available in OpenSSL 1.0.2+ */ |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4551 |
5669
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4552 if (name->len == 0) { |
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4553 goto failed; |
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4554 } |
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4555 |
5767
abd460ece11e
SSL: fix build with recent OpenSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5760
diff
changeset
|
4556 if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) { |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4557 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4558 "X509_check_host(): no match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4559 goto failed; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4560 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4561 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4562 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4563 "X509_check_host(): match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4564 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4565 goto found; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4566 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4567 #else |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4568 { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4569 int n, i; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4570 X509_NAME *sname; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4571 ASN1_STRING *str; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4572 X509_NAME_ENTRY *entry; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4573 GENERAL_NAME *altname; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4574 STACK_OF(GENERAL_NAME) *altnames; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4575 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4576 /* |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4577 * As per RFC6125 and RFC2818, we check subjectAltName extension, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4578 * and if it's not present - commonName in Subject is checked. |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4579 */ |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4580 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4581 altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4582 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4583 if (altnames) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4584 n = sk_GENERAL_NAME_num(altnames); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4585 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4586 for (i = 0; i < n; i++) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4587 altname = sk_GENERAL_NAME_value(altnames, i); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4588 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4589 if (altname->type != GEN_DNS) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4590 continue; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4591 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4592 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4593 str = altname->d.dNSName; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4594 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4595 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4596 "SSL subjectAltName: \"%*s\"", |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4597 ASN1_STRING_length(str), ASN1_STRING_data(str)); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4598 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4599 if (ngx_ssl_check_name(name, str) == NGX_OK) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4600 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4601 "SSL subjectAltName: match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4602 GENERAL_NAMES_free(altnames); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4603 goto found; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4604 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4605 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4606 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4607 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4608 "SSL subjectAltName: no match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4609 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4610 GENERAL_NAMES_free(altnames); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4611 goto failed; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4612 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4613 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4614 /* |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4615 * If there is no subjectAltName extension, check commonName |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4616 * in Subject. While RFC2818 requires to only check "most specific" |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4617 * CN, both Apache and OpenSSL check all CNs, and so do we. |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4618 */ |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4619 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4620 sname = X509_get_subject_name(cert); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4621 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4622 if (sname == NULL) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4623 goto failed; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4624 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4625 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4626 i = -1; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4627 for ( ;; ) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4628 i = X509_NAME_get_index_by_NID(sname, NID_commonName, i); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4629 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4630 if (i < 0) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4631 break; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4632 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4633 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4634 entry = X509_NAME_get_entry(sname, i); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4635 str = X509_NAME_ENTRY_get_data(entry); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4636 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4637 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4638 "SSL commonName: \"%*s\"", |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4639 ASN1_STRING_length(str), ASN1_STRING_data(str)); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4640 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4641 if (ngx_ssl_check_name(name, str) == NGX_OK) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4642 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4643 "SSL commonName: match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4644 goto found; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4645 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4646 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4647 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4648 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4649 "SSL commonName: no match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4650 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4651 #endif |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4652 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4653 failed: |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4654 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4655 X509_free(cert); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4656 return NGX_ERROR; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4657 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4658 found: |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4659 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4660 X509_free(cert); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4661 return NGX_OK; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4662 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4663 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4664 |
6725
9b9ae81cd4f0
SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6699
diff
changeset
|
4665 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4666 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4667 static ngx_int_t |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4668 ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern) |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4669 { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4670 u_char *s, *p, *end; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4671 size_t slen, plen; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4672 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4673 s = name->data; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4674 slen = name->len; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4675 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4676 p = ASN1_STRING_data(pattern); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4677 plen = ASN1_STRING_length(pattern); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4678 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4679 if (slen == plen && ngx_strncasecmp(s, p, plen) == 0) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4680 return NGX_OK; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4681 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4682 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4683 if (plen > 2 && p[0] == '*' && p[1] == '.') { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4684 plen -= 1; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4685 p += 1; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4686 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4687 end = s + slen; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4688 s = ngx_strlchr(s, end, '.'); |
5666
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4689 |
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4690 if (s == NULL) { |
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4691 return NGX_ERROR; |
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4692 } |
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4693 |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4694 slen = end - s; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4695 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4696 if (plen == slen && ngx_strncasecmp(s, p, plen) == 0) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4697 return NGX_OK; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4698 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4699 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4700 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4701 return NGX_ERROR; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4702 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4703 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4704 #endif |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4705 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4706 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4707 ngx_int_t |
671 | 4708 ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
611 | 4709 { |
671 | 4710 s->data = (u_char *) SSL_get_version(c->ssl->connection); |
4711 return NGX_OK; | |
611 | 4712 } |
4713 | |
4714 | |
671 | 4715 ngx_int_t |
4716 ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
611 | 4717 { |
671 | 4718 s->data = (u_char *) SSL_get_cipher_name(c->ssl->connection); |
4719 return NGX_OK; | |
611 | 4720 } |
4721 | |
4722 | |
647 | 4723 ngx_int_t |
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4724 ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4725 { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4726 #ifdef SSL_CTRL_GET_RAW_CIPHERLIST |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4727 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4728 int n, i, bytes; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4729 size_t len; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4730 u_char *ciphers, *p; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4731 const SSL_CIPHER *cipher; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4732 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4733 bytes = SSL_get0_raw_cipherlist(c->ssl->connection, NULL); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4734 n = SSL_get0_raw_cipherlist(c->ssl->connection, &ciphers); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4735 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4736 if (n <= 0) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4737 s->len = 0; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4738 return NGX_OK; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4739 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4740 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4741 len = 0; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4742 n /= bytes; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4743 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4744 for (i = 0; i < n; i++) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4745 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4746 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4747 if (cipher) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4748 len += ngx_strlen(SSL_CIPHER_get_name(cipher)); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4749 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4750 } else { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4751 len += sizeof("0x") - 1 + bytes * (sizeof("00") - 1); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4752 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4753 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4754 len += sizeof(":") - 1; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4755 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4756 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4757 s->data = ngx_pnalloc(pool, len); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4758 if (s->data == NULL) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4759 return NGX_ERROR; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4760 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4761 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4762 p = s->data; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4763 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4764 for (i = 0; i < n; i++) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4765 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4766 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4767 if (cipher) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4768 p = ngx_sprintf(p, "%s", SSL_CIPHER_get_name(cipher)); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4769 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4770 } else { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4771 p = ngx_sprintf(p, "0x"); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4772 p = ngx_hex_dump(p, ciphers + i * bytes, bytes); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4773 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4774 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4775 *p++ = ':'; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4776 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4777 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4778 p--; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4779 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4780 s->len = p - s->data; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4781 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4782 #else |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4783 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4784 u_char buf[4096]; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4785 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4786 if (SSL_get_shared_ciphers(c->ssl->connection, (char *) buf, 4096) |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4787 == NULL) |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4788 { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4789 s->len = 0; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4790 return NGX_OK; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4791 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4792 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4793 s->len = ngx_strlen(buf); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4794 s->data = ngx_pnalloc(pool, s->len); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4795 if (s->data == NULL) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4796 return NGX_ERROR; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4797 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4798 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4799 ngx_memcpy(s->data, buf, s->len); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4800 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4801 #endif |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4802 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4803 return NGX_OK; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4804 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4805 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4806 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4807 ngx_int_t |
7973
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4808 ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4809 { |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4810 #ifdef SSL_get_negotiated_group |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4811 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4812 int nid; |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4813 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4814 nid = SSL_get_negotiated_group(c->ssl->connection); |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4815 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4816 if (nid != NID_undef) { |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4817 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4818 if ((nid & TLSEXT_nid_unknown) == 0) { |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4819 s->len = ngx_strlen(OBJ_nid2sn(nid)); |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4820 s->data = (u_char *) OBJ_nid2sn(nid); |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4821 return NGX_OK; |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4822 } |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4823 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4824 s->len = sizeof("0x0000") - 1; |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4825 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4826 s->data = ngx_pnalloc(pool, s->len); |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4827 if (s->data == NULL) { |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4828 return NGX_ERROR; |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4829 } |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4830 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4831 ngx_sprintf(s->data, "0x%04xd", nid & 0xffff); |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4832 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4833 return NGX_OK; |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4834 } |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4835 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4836 #endif |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4837 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4838 s->len = 0; |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4839 return NGX_OK; |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4840 } |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4841 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4842 |
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4843 ngx_int_t |
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4844 ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4845 { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4846 #ifdef SSL_CTRL_GET_CURVES |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4847 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4848 int *curves, n, i, nid; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4849 u_char *p; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4850 size_t len; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4851 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4852 n = SSL_get1_curves(c->ssl->connection, NULL); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4853 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4854 if (n <= 0) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4855 s->len = 0; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4856 return NGX_OK; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4857 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4858 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4859 curves = ngx_palloc(pool, n * sizeof(int)); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4860 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4861 n = SSL_get1_curves(c->ssl->connection, curves); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4862 len = 0; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4863 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4864 for (i = 0; i < n; i++) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4865 nid = curves[i]; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4866 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4867 if (nid & TLSEXT_nid_unknown) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4868 len += sizeof("0x0000") - 1; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4869 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4870 } else { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4871 len += ngx_strlen(OBJ_nid2sn(nid)); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4872 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4873 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4874 len += sizeof(":") - 1; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4875 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4876 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4877 s->data = ngx_pnalloc(pool, len); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4878 if (s->data == NULL) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4879 return NGX_ERROR; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4880 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4881 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4882 p = s->data; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4883 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4884 for (i = 0; i < n; i++) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4885 nid = curves[i]; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4886 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4887 if (nid & TLSEXT_nid_unknown) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4888 p = ngx_sprintf(p, "0x%04xd", nid & 0xffff); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4889 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4890 } else { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4891 p = ngx_sprintf(p, "%s", OBJ_nid2sn(nid)); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4892 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4893 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4894 *p++ = ':'; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4895 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4896 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4897 p--; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4898 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4899 s->len = p - s->data; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4900 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4901 #else |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4902 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4903 s->len = 0; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4904 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4905 #endif |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4906 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4907 return NGX_OK; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4908 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4909 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4910 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4911 ngx_int_t |
3154 | 4912 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
4913 { | |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4914 u_char *buf; |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4915 SSL_SESSION *sess; |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4916 unsigned int len; |
3154 | 4917 |
4918 sess = SSL_get0_session(c->ssl->connection); | |
5537
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
4919 if (sess == NULL) { |
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
4920 s->len = 0; |
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
4921 return NGX_OK; |
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
4922 } |
3154 | 4923 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4924 buf = (u_char *) SSL_SESSION_get_id(sess, &len); |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4925 |
3154 | 4926 s->len = 2 * len; |
4927 s->data = ngx_pnalloc(pool, 2 * len); | |
4928 if (s->data == NULL) { | |
4929 return NGX_ERROR; | |
4930 } | |
4931 | |
4932 ngx_hex_dump(s->data, buf, len); | |
4933 | |
4934 return NGX_OK; | |
4935 } | |
4936 | |
4937 | |
4938 ngx_int_t | |
5573
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4939 ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4940 { |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4941 if (SSL_session_reused(c->ssl->connection)) { |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4942 ngx_str_set(s, "r"); |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4943 |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4944 } else { |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4945 ngx_str_set(s, "."); |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4946 } |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4947 |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4948 return NGX_OK; |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4949 } |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4950 |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4951 |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4952 ngx_int_t |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4953 ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4954 { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4955 s->len = 0; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4956 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4957 #ifdef SSL_ERROR_EARLY_DATA_REJECTED |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4958 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4959 /* BoringSSL */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4960 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4961 if (SSL_in_early_data(c->ssl->connection)) { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4962 ngx_str_set(s, "1"); |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4963 } |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4964 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4965 #elif defined SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4966 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4967 /* OpenSSL */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4968 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4969 if (!SSL_is_init_finished(c->ssl->connection)) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4970 ngx_str_set(s, "1"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4971 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4972 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4973 #endif |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4974 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4975 return NGX_OK; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4976 } |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4977 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4978 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4979 ngx_int_t |
5658
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4980 ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4981 { |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4982 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4983 |
7092
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4984 size_t len; |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4985 const char *name; |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4986 |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4987 name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name); |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4988 |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4989 if (name) { |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4990 len = ngx_strlen(name); |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4991 |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4992 s->len = len; |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4993 s->data = ngx_pnalloc(pool, len); |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4994 if (s->data == NULL) { |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4995 return NGX_ERROR; |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4996 } |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4997 |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4998 ngx_memcpy(s->data, name, len); |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4999 |
5658
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5000 return NGX_OK; |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5001 } |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5002 |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5003 #endif |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5004 |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5005 s->len = 0; |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5006 return NGX_OK; |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5007 } |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5008 |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5009 |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
5010 ngx_int_t |
7935
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5011 ngx_ssl_get_alpn_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5012 { |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5013 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5014 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5015 unsigned int len; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5016 const unsigned char *data; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5017 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5018 SSL_get0_alpn_selected(c->ssl->connection, &data, &len); |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5019 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5020 if (len > 0) { |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5021 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5022 s->data = ngx_pnalloc(pool, len); |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5023 if (s->data == NULL) { |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5024 return NGX_ERROR; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5025 } |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5026 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5027 ngx_memcpy(s->data, data, len); |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5028 s->len = len; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5029 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5030 return NGX_OK; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5031 } |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5032 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5033 #endif |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5034 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5035 s->len = 0; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5036 return NGX_OK; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5037 } |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5038 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5039 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5040 ngx_int_t |
2123 | 5041 ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2045 | 5042 { |
5043 size_t len; | |
5044 BIO *bio; | |
5045 X509 *cert; | |
5046 | |
5047 s->len = 0; | |
5048 | |
5049 cert = SSL_get_peer_certificate(c->ssl->connection); | |
5050 if (cert == NULL) { | |
5051 return NGX_OK; | |
5052 } | |
5053 | |
5054 bio = BIO_new(BIO_s_mem()); | |
5055 if (bio == NULL) { | |
5056 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); | |
5057 X509_free(cert); | |
5058 return NGX_ERROR; | |
5059 } | |
5060 | |
5061 if (PEM_write_bio_X509(bio, cert) == 0) { | |
5062 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed"); | |
5063 goto failed; | |
5064 } | |
5065 | |
5066 len = BIO_pending(bio); | |
5067 s->len = len; | |
5068 | |
2049 | 5069 s->data = ngx_pnalloc(pool, len); |
2045 | 5070 if (s->data == NULL) { |
5071 goto failed; | |
5072 } | |
5073 | |
5074 BIO_read(bio, s->data, len); | |
5075 | |
5076 BIO_free(bio); | |
5077 X509_free(cert); | |
5078 | |
5079 return NGX_OK; | |
5080 | |
5081 failed: | |
5082 | |
5083 BIO_free(bio); | |
5084 X509_free(cert); | |
5085 | |
5086 return NGX_ERROR; | |
5087 } | |
5088 | |
5089 | |
5090 ngx_int_t | |
2123 | 5091 ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
5092 { | |
5093 u_char *p; | |
5094 size_t len; | |
5095 ngx_uint_t i; | |
5096 ngx_str_t cert; | |
5097 | |
5098 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) { | |
5099 return NGX_ERROR; | |
5100 } | |
5101 | |
5102 if (cert.len == 0) { | |
5103 s->len = 0; | |
5104 return NGX_OK; | |
5105 } | |
5106 | |
5107 len = cert.len - 1; | |
5108 | |
5109 for (i = 0; i < cert.len - 1; i++) { | |
5110 if (cert.data[i] == LF) { | |
5111 len++; | |
5112 } | |
5113 } | |
5114 | |
5115 s->len = len; | |
5116 s->data = ngx_pnalloc(pool, len); | |
5117 if (s->data == NULL) { | |
5118 return NGX_ERROR; | |
5119 } | |
5120 | |
5121 p = s->data; | |
5122 | |
3002
bf0c7e58e016
fix memory corruption in $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents:
2997
diff
changeset
|
5123 for (i = 0; i < cert.len - 1; i++) { |
2123 | 5124 *p++ = cert.data[i]; |
5125 if (cert.data[i] == LF) { | |
5126 *p++ = '\t'; | |
5127 } | |
5128 } | |
5129 | |
5130 return NGX_OK; | |
5131 } | |
5132 | |
5133 | |
5134 ngx_int_t | |
7091
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5135 ngx_ssl_get_escaped_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5136 ngx_str_t *s) |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5137 { |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5138 ngx_str_t cert; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5139 uintptr_t n; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5140 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5141 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) { |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5142 return NGX_ERROR; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5143 } |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5144 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5145 if (cert.len == 0) { |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5146 s->len = 0; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5147 return NGX_OK; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5148 } |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5149 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5150 n = ngx_escape_uri(NULL, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT); |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5151 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5152 s->len = cert.len + n * 2; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5153 s->data = ngx_pnalloc(pool, s->len); |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5154 if (s->data == NULL) { |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5155 return NGX_ERROR; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5156 } |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5157 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5158 ngx_escape_uri(s->data, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT); |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5159 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5160 return NGX_OK; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5161 } |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5162 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5163 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5164 ngx_int_t |
647 | 5165 ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
5166 { | |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5167 BIO *bio; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5168 X509 *cert; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5169 X509_NAME *name; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5170 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5171 s->len = 0; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5172 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5173 cert = SSL_get_peer_certificate(c->ssl->connection); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5174 if (cert == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5175 return NGX_OK; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5176 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5177 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5178 name = X509_get_subject_name(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5179 if (name == NULL) { |
7484
65074e13f171
SSL: missing free calls in $ssl_client_s_dn and $ssl_client_i_dn.
Nikolay Morozov <n.morozov@securitycode.ru>
parents:
7477
diff
changeset
|
5180 X509_free(cert); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5181 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5182 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5183 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5184 bio = BIO_new(BIO_s_mem()); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5185 if (bio == NULL) { |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5186 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5187 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5188 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5189 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5190 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5191 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) { |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5192 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_print_ex() failed"); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5193 goto failed; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5194 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5195 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5196 s->len = BIO_pending(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5197 s->data = ngx_pnalloc(pool, s->len); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5198 if (s->data == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5199 goto failed; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5200 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5201 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5202 BIO_read(bio, s->data, s->len); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5203 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5204 BIO_free(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5205 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5206 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5207 return NGX_OK; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5208 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5209 failed: |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5210 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5211 BIO_free(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5212 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5213 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5214 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5215 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5216 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5217 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5218 ngx_int_t |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5219 ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5220 { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5221 BIO *bio; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5222 X509 *cert; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5223 X509_NAME *name; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5224 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5225 s->len = 0; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5226 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5227 cert = SSL_get_peer_certificate(c->ssl->connection); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5228 if (cert == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5229 return NGX_OK; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5230 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5231 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5232 name = X509_get_issuer_name(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5233 if (name == NULL) { |
7484
65074e13f171
SSL: missing free calls in $ssl_client_s_dn and $ssl_client_i_dn.
Nikolay Morozov <n.morozov@securitycode.ru>
parents:
7477
diff
changeset
|
5234 X509_free(cert); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5235 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5236 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5237 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5238 bio = BIO_new(BIO_s_mem()); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5239 if (bio == NULL) { |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5240 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5241 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5242 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5243 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5244 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5245 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) { |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5246 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_print_ex() failed"); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5247 goto failed; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5248 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5249 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5250 s->len = BIO_pending(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5251 s->data = ngx_pnalloc(pool, s->len); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5252 if (s->data == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5253 goto failed; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5254 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5255 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5256 BIO_read(bio, s->data, s->len); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5257 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5258 BIO_free(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5259 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5260 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5261 return NGX_OK; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5262 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5263 failed: |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5264 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5265 BIO_free(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5266 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5267 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5268 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5269 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5270 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5271 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5272 ngx_int_t |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5273 ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5274 ngx_str_t *s) |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5275 { |
647 | 5276 char *p; |
5277 size_t len; | |
5278 X509 *cert; | |
5279 X509_NAME *name; | |
5280 | |
5281 s->len = 0; | |
5282 | |
5283 cert = SSL_get_peer_certificate(c->ssl->connection); | |
5284 if (cert == NULL) { | |
5285 return NGX_OK; | |
5286 } | |
5287 | |
5288 name = X509_get_subject_name(cert); | |
5289 if (name == NULL) { | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5290 X509_free(cert); |
647 | 5291 return NGX_ERROR; |
5292 } | |
5293 | |
5294 p = X509_NAME_oneline(name, NULL, 0); | |
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5295 if (p == NULL) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5296 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_oneline() failed"); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5297 X509_free(cert); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5298 return NGX_ERROR; |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5299 } |
647 | 5300 |
5301 for (len = 0; p[len]; len++) { /* void */ } | |
5302 | |
5303 s->len = len; | |
2049 | 5304 s->data = ngx_pnalloc(pool, len); |
647 | 5305 if (s->data == NULL) { |
5306 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5307 X509_free(cert); |
647 | 5308 return NGX_ERROR; |
5309 } | |
5310 | |
5311 ngx_memcpy(s->data, p, len); | |
5312 | |
5313 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5314 X509_free(cert); |
647 | 5315 |
5316 return NGX_OK; | |
5317 } | |
5318 | |
5319 | |
5320 ngx_int_t | |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5321 ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5322 ngx_str_t *s) |
647 | 5323 { |
5324 char *p; | |
5325 size_t len; | |
5326 X509 *cert; | |
5327 X509_NAME *name; | |
5328 | |
5329 s->len = 0; | |
5330 | |
5331 cert = SSL_get_peer_certificate(c->ssl->connection); | |
5332 if (cert == NULL) { | |
5333 return NGX_OK; | |
5334 } | |
5335 | |
5336 name = X509_get_issuer_name(cert); | |
5337 if (name == NULL) { | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5338 X509_free(cert); |
647 | 5339 return NGX_ERROR; |
5340 } | |
5341 | |
5342 p = X509_NAME_oneline(name, NULL, 0); | |
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5343 if (p == NULL) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5344 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_oneline() failed"); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5345 X509_free(cert); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5346 return NGX_ERROR; |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5347 } |
647 | 5348 |
5349 for (len = 0; p[len]; len++) { /* void */ } | |
5350 | |
5351 s->len = len; | |
2049 | 5352 s->data = ngx_pnalloc(pool, len); |
647 | 5353 if (s->data == NULL) { |
5354 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5355 X509_free(cert); |
647 | 5356 return NGX_ERROR; |
5357 } | |
5358 | |
5359 ngx_memcpy(s->data, p, len); | |
5360 | |
5361 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5362 X509_free(cert); |
647 | 5363 |
5364 return NGX_OK; | |
5365 } | |
5366 | |
5367 | |
671 | 5368 ngx_int_t |
5369 ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
5370 { | |
5371 size_t len; | |
5372 X509 *cert; | |
5373 BIO *bio; | |
5374 | |
5375 s->len = 0; | |
5376 | |
5377 cert = SSL_get_peer_certificate(c->ssl->connection); | |
5378 if (cert == NULL) { | |
5379 return NGX_OK; | |
5380 } | |
5381 | |
5382 bio = BIO_new(BIO_s_mem()); | |
5383 if (bio == NULL) { | |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5384 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5385 X509_free(cert); |
671 | 5386 return NGX_ERROR; |
5387 } | |
5388 | |
5389 i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)); | |
5390 len = BIO_pending(bio); | |
5391 | |
5392 s->len = len; | |
2049 | 5393 s->data = ngx_pnalloc(pool, len); |
671 | 5394 if (s->data == NULL) { |
5395 BIO_free(bio); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5396 X509_free(cert); |
671 | 5397 return NGX_ERROR; |
5398 } | |
5399 | |
5400 BIO_read(bio, s->data, len); | |
5401 BIO_free(bio); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5402 X509_free(cert); |
671 | 5403 |
5404 return NGX_OK; | |
5405 } | |
5406 | |
5407 | |
2994 | 5408 ngx_int_t |
5700
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5409 ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5410 { |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5411 X509 *cert; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5412 unsigned int len; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5413 u_char buf[EVP_MAX_MD_SIZE]; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5414 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5415 s->len = 0; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5416 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5417 cert = SSL_get_peer_certificate(c->ssl->connection); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5418 if (cert == NULL) { |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5419 return NGX_OK; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5420 } |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5421 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5422 if (!X509_digest(cert, EVP_sha1(), buf, &len)) { |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5423 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_digest() failed"); |
5700
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5424 X509_free(cert); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5425 return NGX_ERROR; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5426 } |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5427 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5428 s->len = 2 * len; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5429 s->data = ngx_pnalloc(pool, 2 * len); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5430 if (s->data == NULL) { |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5431 X509_free(cert); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5432 return NGX_ERROR; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5433 } |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5434 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5435 ngx_hex_dump(s->data, buf, len); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5436 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5437 X509_free(cert); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5438 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5439 return NGX_OK; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5440 } |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5441 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5442 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5443 ngx_int_t |
2994 | 5444 ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
5445 { | |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5446 X509 *cert; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5447 long rc; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5448 const char *str; |
2994 | 5449 |
5450 cert = SSL_get_peer_certificate(c->ssl->connection); | |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5451 if (cert == NULL) { |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3488
diff
changeset
|
5452 ngx_str_set(s, "NONE"); |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5453 return NGX_OK; |
2994 | 5454 } |
5455 | |
5456 X509_free(cert); | |
5457 | |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5458 rc = SSL_get_verify_result(c->ssl->connection); |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5459 |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5460 if (rc == X509_V_OK) { |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5461 if (ngx_ssl_ocsp_get_status(c, &str) == NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5462 ngx_str_set(s, "SUCCESS"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5463 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5464 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5465 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5466 } else { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5467 str = X509_verify_cert_error_string(rc); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5468 } |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5469 |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5470 s->data = ngx_pnalloc(pool, sizeof("FAILED:") - 1 + ngx_strlen(str)); |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5471 if (s->data == NULL) { |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5472 return NGX_ERROR; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5473 } |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5474 |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5475 s->len = ngx_sprintf(s->data, "FAILED:%s", str) - s->data; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5476 |
2994 | 5477 return NGX_OK; |
5478 } | |
5479 | |
5480 | |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5481 ngx_int_t |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5482 ngx_ssl_get_client_v_start(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5483 { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5484 BIO *bio; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5485 X509 *cert; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5486 size_t len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5487 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5488 s->len = 0; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5489 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5490 cert = SSL_get_peer_certificate(c->ssl->connection); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5491 if (cert == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5492 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5493 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5494 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5495 bio = BIO_new(BIO_s_mem()); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5496 if (bio == NULL) { |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5497 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5498 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5499 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5500 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5501 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5502 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5503 ASN1_TIME_print(bio, X509_get0_notBefore(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5504 #else |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5505 ASN1_TIME_print(bio, X509_get_notBefore(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5506 #endif |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5507 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5508 len = BIO_pending(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5509 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5510 s->len = len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5511 s->data = ngx_pnalloc(pool, len); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5512 if (s->data == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5513 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5514 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5515 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5516 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5517 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5518 BIO_read(bio, s->data, len); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5519 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5520 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5521 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5522 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5523 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5524 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5525 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5526 ngx_int_t |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5527 ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5528 { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5529 BIO *bio; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5530 X509 *cert; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5531 size_t len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5532 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5533 s->len = 0; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5534 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5535 cert = SSL_get_peer_certificate(c->ssl->connection); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5536 if (cert == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5537 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5538 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5539 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5540 bio = BIO_new(BIO_s_mem()); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5541 if (bio == NULL) { |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5542 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5543 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5544 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5545 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5546 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5547 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5548 ASN1_TIME_print(bio, X509_get0_notAfter(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5549 #else |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5550 ASN1_TIME_print(bio, X509_get_notAfter(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5551 #endif |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5552 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5553 len = BIO_pending(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5554 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5555 s->len = len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5556 s->data = ngx_pnalloc(pool, len); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5557 if (s->data == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5558 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5559 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5560 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5561 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5562 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5563 BIO_read(bio, s->data, len); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5564 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5565 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5566 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5567 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5568 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5569 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5570 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5571 ngx_int_t |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5572 ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5573 { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5574 X509 *cert; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5575 time_t now, end; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5576 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5577 s->len = 0; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5578 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5579 cert = SSL_get_peer_certificate(c->ssl->connection); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5580 if (cert == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5581 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5582 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5583 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5584 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5585 end = ngx_ssl_parse_time(X509_get0_notAfter(cert), c->log); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5586 #else |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5587 end = ngx_ssl_parse_time(X509_get_notAfter(cert), c->log); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5588 #endif |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5589 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5590 if (end == (time_t) NGX_ERROR) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5591 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5592 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5593 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5594 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5595 now = ngx_time(); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5596 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5597 if (end < now + 86400) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5598 ngx_str_set(s, "0"); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5599 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5600 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5601 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5602 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5603 s->data = ngx_pnalloc(pool, NGX_TIME_T_LEN); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5604 if (s->data == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5605 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5606 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5607 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5608 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5609 s->len = ngx_sprintf(s->data, "%T", (end - now) / 86400) - s->data; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5610 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5611 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5612 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5613 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5614 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5615 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5616 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5617 static time_t |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5618 ngx_ssl_parse_time( |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5619 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5620 const |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5621 #endif |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5622 ASN1_TIME *asn1time, ngx_log_t *log) |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5623 { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5624 BIO *bio; |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5625 char *value; |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5626 size_t len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5627 time_t time; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5628 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5629 /* |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5630 * OpenSSL doesn't provide a way to convert ASN1_TIME |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5631 * into time_t. To do this, we use ASN1_TIME_print(), |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5632 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g., |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5633 * "Feb 3 00:55:52 2015 GMT"), and parse the result. |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5634 */ |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5635 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5636 bio = BIO_new(BIO_s_mem()); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5637 if (bio == NULL) { |
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5638 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "BIO_new() failed"); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5639 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5640 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5641 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5642 /* fake weekday prepended to match C asctime() format */ |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5643 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5644 BIO_write(bio, "Tue ", sizeof("Tue ") - 1); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5645 ASN1_TIME_print(bio, asn1time); |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5646 len = BIO_get_mem_data(bio, &value); |
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5647 |
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5648 time = ngx_parse_http_time((u_char *) value, len); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5649 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5650 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5651 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5652 return time; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5653 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5654 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5655 |
541 | 5656 static void * |
5657 ngx_openssl_create_conf(ngx_cycle_t *cycle) | |
5658 { | |
5659 ngx_openssl_conf_t *oscf; | |
577 | 5660 |
541 | 5661 oscf = ngx_pcalloc(cycle->pool, sizeof(ngx_openssl_conf_t)); |
5662 if (oscf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2764
diff
changeset
|
5663 return NULL; |
541 | 5664 } |
577 | 5665 |
541 | 5666 /* |
5667 * set by ngx_pcalloc(): | |
577 | 5668 * |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5669 * oscf->engine = 0; |
577 | 5670 */ |
541 | 5671 |
5672 return oscf; | |
5673 } | |
5674 | |
5675 | |
5676 static char * | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5677 ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
541 | 5678 { |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5679 #ifndef OPENSSL_NO_ENGINE |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5680 |
541 | 5681 ngx_openssl_conf_t *oscf = conf; |
571 | 5682 |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5683 ENGINE *engine; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5684 ngx_str_t *value; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5685 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5686 if (oscf->engine) { |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5687 return "is duplicate"; |
541 | 5688 } |
577 | 5689 |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5690 oscf->engine = 1; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5691 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5692 value = cf->args->elts; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5693 |
6552 | 5694 engine = ENGINE_by_id((char *) value[1].data); |
541 | 5695 |
5696 if (engine == NULL) { | |
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6687
diff
changeset
|
5697 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5698 "ENGINE_by_id(\"%V\") failed", &value[1]); |
541 | 5699 return NGX_CONF_ERROR; |
5700 } | |
5701 | |
5702 if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) { | |
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6687
diff
changeset
|
5703 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
541 | 5704 "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed", |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5705 &value[1]); |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5706 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5707 ENGINE_free(engine); |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5708 |
541 | 5709 return NGX_CONF_ERROR; |
5710 } | |
5711 | |
5712 ENGINE_free(engine); | |
5713 | |
5714 return NGX_CONF_OK; | |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5715 |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5716 #else |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5717 |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5718 return "is not supported"; |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5719 |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5720 #endif |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5721 } |
571 | 5722 |
5723 | |
5724 static void | |
5725 ngx_openssl_exit(ngx_cycle_t *cycle) | |
5726 { | |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
5727 #if OPENSSL_VERSION_NUMBER < 0x10100003L |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
5728 |
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
5729 EVP_cleanup(); |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5730 #ifndef OPENSSL_NO_ENGINE |
571 | 5731 ENGINE_cleanup(); |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5732 #endif |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
5733 |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
5734 #endif |
571 | 5735 } |