Mercurial > hg > nginx
annotate src/event/ngx_event_openssl.c @ 7997:e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Chrome only uses TLS session tickets once with TLS 1.3, likely following
RFC 8446 Appendix C.4 recommendation. With OpenSSL, this works fine with
built-in session tickets, since these are explicitly renewed in case of
TLS 1.3 on each session reuse, but results in only two connections being
reused after an initial handshake when using ssl_session_ticket_key.
Fix is to always renew TLS session tickets in case of TLS 1.3 when using
ssl_session_ticket_key, similarly to how it is done by OpenSSL internally.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 24 Jan 2022 17:18:50 +0300 |
| parents | aeab41dfd260 |
| children | a736a7a613ea 7c2adf237091 |
| rev | line source |
|---|---|
|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
1 |
|
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
2 /* |
|
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
| 4412 | 4 * Copyright (C) Nginx, Inc. |
|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
5 */ |
|
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
6 |
|
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
7 |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #include <ngx_config.h> |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #include <ngx_core.h> |
|
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
10 #include <ngx_event.h> |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
| 541 | 12 |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
13 #define NGX_SSL_PASSWORD_BUFFER_SIZE 4096 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
14 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
15 |
| 541 | 16 typedef struct { |
|
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
17 ngx_uint_t engine; /* unsigned engine:1; */ |
| 541 | 18 } ngx_openssl_conf_t; |
| 479 | 19 |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
20 |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
21 static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
22 ngx_str_t *cert, STACK_OF(X509) **chain); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
23 static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
24 ngx_str_t *key, ngx_array_t *passwords); |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
25 static int ngx_ssl_password_callback(char *buf, int size, int rwflag, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
26 void *userdata); |
|
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5081
diff
changeset
|
27 static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); |
|
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
28 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
29 int ret); |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
30 static void ngx_ssl_passwords_cleanup(void *data); |
|
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
31 static int ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
32 ngx_ssl_session_t *sess); |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
33 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
34 static ngx_int_t ngx_ssl_try_early_data(ngx_connection_t *c); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
35 #endif |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
36 #if (NGX_DEBUG) |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
37 static void ngx_ssl_handshake_log(ngx_connection_t *c); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
38 #endif |
| 547 | 39 static void ngx_ssl_handshake_handler(ngx_event_t *ev); |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
40 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
41 static ssize_t ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf, |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
42 size_t size); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
43 #endif |
| 489 | 44 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); |
| 473 | 45 static void ngx_ssl_write_handler(ngx_event_t *wev); |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
46 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
47 static ssize_t ngx_ssl_write_early(ngx_connection_t *c, u_char *data, |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
48 size_t size); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
49 #endif |
|
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
50 static ssize_t ngx_ssl_sendfile(ngx_connection_t *c, ngx_buf_t *file, |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
51 size_t size); |
| 473 | 52 static void ngx_ssl_read_handler(ngx_event_t *rev); |
| 577 | 53 static void ngx_ssl_shutdown_handler(ngx_event_t *ev); |
| 547 | 54 static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, |
| 55 ngx_err_t err, char *text); | |
|
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
56 static void ngx_ssl_clear_error(ngx_log_t *log); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
57 |
|
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
58 static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl, |
|
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
59 ngx_str_t *sess_ctx, ngx_array_t *certificates); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
60 static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
61 ngx_ssl_session_t *sess); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
62 static ngx_ssl_session_t *ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, |
|
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
63 #if OPENSSL_VERSION_NUMBER >= 0x10100003L |
|
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
64 const |
|
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
65 #endif |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
66 u_char *id, int len, int *copy); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
67 static void ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
68 static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
69 ngx_slab_pool_t *shpool, ngx_uint_t n); |
|
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
70 static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
71 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
72 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
73 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
74 static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
75 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
76 HMAC_CTX *hctx, int enc); |
|
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
77 static void ngx_ssl_session_ticket_keys_cleanup(void *data); |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
78 #endif |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
79 |
|
6725
9b9ae81cd4f0
SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6699
diff
changeset
|
80 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
|
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
81 static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
82 #endif |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
83 |
|
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
84 static time_t ngx_ssl_parse_time( |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
85 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
86 const |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
87 #endif |
|
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
88 ASN1_TIME *asn1time, ngx_log_t *log); |
|
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
89 |
| 541 | 90 static void *ngx_openssl_create_conf(ngx_cycle_t *cycle); |
|
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
91 static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); |
| 571 | 92 static void ngx_openssl_exit(ngx_cycle_t *cycle); |
| 541 | 93 |
| 94 | |
| 95 static ngx_command_t ngx_openssl_commands[] = { | |
| 96 | |
| 97 { ngx_string("ssl_engine"), | |
| 98 NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1, | |
|
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
99 ngx_openssl_engine, |
| 541 | 100 0, |
|
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
101 0, |
| 541 | 102 NULL }, |
| 103 | |
| 104 ngx_null_command | |
| 105 }; | |
| 106 | |
| 107 | |
| 108 static ngx_core_module_t ngx_openssl_module_ctx = { | |
| 109 ngx_string("openssl"), | |
| 110 ngx_openssl_create_conf, | |
|
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
111 NULL |
| 577 | 112 }; |
| 541 | 113 |
| 114 | |
| 115 ngx_module_t ngx_openssl_module = { | |
| 116 NGX_MODULE_V1, | |
| 117 &ngx_openssl_module_ctx, /* module context */ | |
| 118 ngx_openssl_commands, /* module directives */ | |
| 119 NGX_CORE_MODULE, /* module type */ | |
| 120 NULL, /* init master */ | |
| 121 NULL, /* init module */ | |
| 122 NULL, /* init process */ | |
| 123 NULL, /* init thread */ | |
| 124 NULL, /* exit thread */ | |
| 125 NULL, /* exit process */ | |
| 571 | 126 ngx_openssl_exit, /* exit master */ |
| 541 | 127 NGX_MODULE_V1_PADDING |
| 547 | 128 }; |
| 129 | |
| 130 | |
| 969 | 131 int ngx_ssl_connection_index; |
| 132 int ngx_ssl_server_conf_index; | |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
133 int ngx_ssl_session_cache_index; |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
134 int ngx_ssl_session_ticket_keys_index; |
|
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
135 int ngx_ssl_ocsp_index; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
136 int ngx_ssl_certificate_index; |
|
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
137 int ngx_ssl_next_certificate_index; |
|
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
138 int ngx_ssl_certificate_name_index; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
139 int ngx_ssl_stapling_index; |
| 671 | 140 |
| 141 | |
| 489 | 142 ngx_int_t |
| 143 ngx_ssl_init(ngx_log_t *log) | |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
144 { |
|
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
145 #if OPENSSL_VERSION_NUMBER >= 0x10100003L |
|
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
146 |
|
6902
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
147 if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) == 0) { |
|
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
148 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed"); |
|
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
149 return NGX_ERROR; |
|
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
150 } |
|
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
151 |
|
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
152 /* |
|
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
153 * OPENSSL_init_ssl() may leave errors in the error queue |
|
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
154 * while returning success |
|
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
155 */ |
|
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
156 |
|
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
157 ERR_clear_error(); |
|
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
158 |
|
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
159 #else |
|
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
160 |
| 968 | 161 OPENSSL_config(NULL); |
| 162 | |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
163 SSL_library_init(); |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
164 SSL_load_error_strings(); |
| 541 | 165 |
|
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
166 OpenSSL_add_all_algorithms(); |
|
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
167 |
|
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
168 #endif |
|
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
169 |
|
4696
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
170 #ifndef SSL_OP_NO_COMPRESSION |
|
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
171 { |
|
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
172 /* |
|
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
173 * Disable gzip compression in OpenSSL prior to 1.0.0 version, |
|
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
174 * this saves about 522K per connection. |
|
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
175 */ |
|
4867
90bbf2adb2c9
SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4696
diff
changeset
|
176 int n; |
|
4696
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
177 STACK_OF(SSL_COMP) *ssl_comp_methods; |
|
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
178 |
|
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
179 ssl_comp_methods = SSL_COMP_get_compression_methods(); |
|
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
180 n = sk_SSL_COMP_num(ssl_comp_methods); |
|
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
181 |
|
4867
90bbf2adb2c9
SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4696
diff
changeset
|
182 while (n--) { |
|
90bbf2adb2c9
SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4696
diff
changeset
|
183 (void) sk_SSL_COMP_pop(ssl_comp_methods); |
|
4696
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
184 } |
|
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
185 } |
|
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
186 #endif |
|
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
187 |
| 969 | 188 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
| 671 | 189 |
| 969 | 190 if (ngx_ssl_connection_index == -1) { |
| 671 | 191 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed"); |
| 192 return NGX_ERROR; | |
| 193 } | |
| 194 | |
| 969 | 195 ngx_ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
| 196 NULL); | |
| 197 if (ngx_ssl_server_conf_index == -1) { | |
| 198 ngx_ssl_error(NGX_LOG_ALERT, log, 0, | |
| 199 "SSL_CTX_get_ex_new_index() failed"); | |
| 200 return NGX_ERROR; | |
| 201 } | |
| 202 | |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
203 ngx_ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
204 NULL); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
205 if (ngx_ssl_session_cache_index == -1) { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
206 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
207 "SSL_CTX_get_ex_new_index() failed"); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
208 return NGX_ERROR; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
209 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
210 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
211 ngx_ssl_session_ticket_keys_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
212 NULL, NULL); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
213 if (ngx_ssl_session_ticket_keys_index == -1) { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
214 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
215 "SSL_CTX_get_ex_new_index() failed"); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
216 return NGX_ERROR; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
217 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
218 |
|
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
219 ngx_ssl_ocsp_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
220 if (ngx_ssl_ocsp_index == -1) { |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
221 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
222 "SSL_CTX_get_ex_new_index() failed"); |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
223 return NGX_ERROR; |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
224 } |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
225 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
226 ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
227 NULL); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
228 if (ngx_ssl_certificate_index == -1) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
229 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
230 "SSL_CTX_get_ex_new_index() failed"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
231 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
232 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
233 |
|
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
234 ngx_ssl_next_certificate_index = X509_get_ex_new_index(0, NULL, NULL, NULL, |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
235 NULL); |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
236 if (ngx_ssl_next_certificate_index == -1) { |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
237 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
238 return NGX_ERROR; |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
239 } |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
240 |
|
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
241 ngx_ssl_certificate_name_index = X509_get_ex_new_index(0, NULL, NULL, NULL, |
|
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
242 NULL); |
|
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
243 |
|
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
244 if (ngx_ssl_certificate_name_index == -1) { |
|
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
245 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); |
|
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
246 return NGX_ERROR; |
|
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
247 } |
|
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
248 |
|
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6490
diff
changeset
|
249 ngx_ssl_stapling_index = X509_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
|
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6490
diff
changeset
|
250 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
251 if (ngx_ssl_stapling_index == -1) { |
|
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6490
diff
changeset
|
252 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
253 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
254 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
255 |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
256 return NGX_OK; |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
257 } |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
258 |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
259 |
| 489 | 260 ngx_int_t |
| 969 | 261 ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) |
| 547 | 262 { |
| 577 | 263 ssl->ctx = SSL_CTX_new(SSLv23_method()); |
| 547 | 264 |
| 265 if (ssl->ctx == NULL) { | |
| 266 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed"); | |
| 267 return NGX_ERROR; | |
| 268 } | |
| 269 | |
| 969 | 270 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) { |
| 271 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
| 272 "SSL_CTX_set_ex_data() failed"); | |
| 273 return NGX_ERROR; | |
| 274 } | |
| 275 | |
|
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
276 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, NULL) == 0) { |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
277 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
278 "SSL_CTX_set_ex_data() failed"); |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
279 return NGX_ERROR; |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
280 } |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
281 |
|
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
282 ssl->buffer_size = NGX_SSL_BUFSIZE; |
|
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
283 |
| 577 | 284 /* client side options */ |
| 285 | |
|
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
286 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG |
| 577 | 287 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); |
|
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
288 #endif |
|
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
289 |
|
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
290 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG |
| 577 | 291 SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); |
|
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
292 #endif |
| 577 | 293 |
| 294 /* server side options */ | |
| 563 | 295 |
|
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
296 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
| 563 | 297 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); |
|
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
298 #endif |
|
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
299 |
|
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
300 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
| 563 | 301 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); |
|
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
302 #endif |
| 563 | 303 |
|
5778
45ed2f1f0a6a
SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5777
diff
changeset
|
304 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
| 563 | 305 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); |
|
5778
45ed2f1f0a6a
SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5777
diff
changeset
|
306 #endif |
|
45ed2f1f0a6a
SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5777
diff
changeset
|
307 |
|
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
308 #ifdef SSL_OP_TLS_D5_BUG |
| 563 | 309 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG); |
|
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
310 #endif |
|
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
311 |
|
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
312 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG |
| 563 | 313 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); |
|
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
314 #endif |
|
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
315 |
|
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
316 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
| 563 | 317 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); |
|
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
318 #endif |
| 563 | 319 |
| 2044 | 320 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); |
| 547 | 321 |
|
7318
3443fe40bdc7
SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7317
diff
changeset
|
322 #if OPENSSL_VERSION_NUMBER >= 0x009080dfL |
|
6034
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
323 /* only in 0.9.8m+ */ |
|
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
324 SSL_CTX_clear_options(ssl->ctx, |
|
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
325 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1); |
|
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
326 #endif |
|
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
327 |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
328 if (!(protocols & NGX_SSL_SSLv2)) { |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
329 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
330 } |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
331 if (!(protocols & NGX_SSL_SSLv3)) { |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
332 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
333 } |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
334 if (!(protocols & NGX_SSL_TLSv1)) { |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
335 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); |
| 547 | 336 } |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
337 #ifdef SSL_OP_NO_TLSv1_1 |
|
6034
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
338 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1); |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
339 if (!(protocols & NGX_SSL_TLSv1_1)) { |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
340 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
341 } |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
342 #endif |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
343 #ifdef SSL_OP_NO_TLSv1_2 |
|
6034
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
344 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2); |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
345 if (!(protocols & NGX_SSL_TLSv1_2)) { |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
346 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
347 } |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
348 #endif |
|
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
349 #ifdef SSL_OP_NO_TLSv1_3 |
|
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
350 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
|
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
351 if (!(protocols & NGX_SSL_TLSv1_3)) { |
|
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
352 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
|
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
353 } |
|
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
354 #endif |
| 547 | 355 |
|
7372
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
356 #ifdef SSL_CTX_set_min_proto_version |
|
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
357 SSL_CTX_set_min_proto_version(ssl->ctx, 0); |
|
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
358 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION); |
|
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
359 #endif |
|
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
360 |
|
7332
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
361 #ifdef TLS1_3_VERSION |
|
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
362 SSL_CTX_set_min_proto_version(ssl->ctx, 0); |
|
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
363 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); |
|
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
364 #endif |
|
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
365 |
|
4185
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
366 #ifdef SSL_OP_NO_COMPRESSION |
|
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
367 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); |
|
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
368 #endif |
|
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
369 |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
370 #ifdef SSL_OP_NO_ANTI_REPLAY |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
371 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
372 #endif |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
373 |
|
7474
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
374 #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION |
|
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
375 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION); |
|
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
376 #endif |
|
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
377 |
|
7899
1a03af395f44
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7897
diff
changeset
|
378 #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF |
|
1a03af395f44
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7897
diff
changeset
|
379 SSL_CTX_set_options(ssl->ctx, SSL_OP_IGNORE_UNEXPECTED_EOF); |
|
1a03af395f44
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7897
diff
changeset
|
380 #endif |
|
1a03af395f44
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7897
diff
changeset
|
381 |
|
4186
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
382 #ifdef SSL_MODE_RELEASE_BUFFERS |
|
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
383 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); |
|
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
384 #endif |
|
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
385 |
|
6036
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
386 #ifdef SSL_MODE_NO_AUTO_CHAIN |
|
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
387 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN); |
|
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
388 #endif |
|
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
389 |
| 547 | 390 SSL_CTX_set_read_ahead(ssl->ctx, 1); |
| 391 | |
|
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
392 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
393 |
| 547 | 394 return NGX_OK; |
| 395 } | |
| 396 | |
| 397 | |
| 398 ngx_int_t | |
|
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
399 ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
400 ngx_array_t *keys, ngx_array_t *passwords) |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
401 { |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
402 ngx_str_t *cert, *key; |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
403 ngx_uint_t i; |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
404 |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
405 cert = certs->elts; |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
406 key = keys->elts; |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
407 |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
408 for (i = 0; i < certs->nelts; i++) { |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
409 |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
410 if (ngx_ssl_certificate(cf, ssl, &cert[i], &key[i], passwords) |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
411 != NGX_OK) |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
412 { |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
413 return NGX_ERROR; |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
414 } |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
415 } |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
416 |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
417 return NGX_OK; |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
418 } |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
419 |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
420 |
|
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
421 ngx_int_t |
| 563 | 422 ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
423 ngx_str_t *key, ngx_array_t *passwords) |
| 547 | 424 { |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
425 char *err; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
426 X509 *x509; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
427 EVP_PKEY *pkey; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
428 STACK_OF(X509) *chain; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
429 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
430 x509 = ngx_ssl_load_certificate(cf->pool, &err, cert, &chain); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
431 if (x509 == NULL) { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
432 if (err != NULL) { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
433 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
434 "cannot load certificate \"%s\": %s", |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
435 cert->data, err); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
436 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
437 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
438 return NGX_ERROR; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
439 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
440 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
441 if (SSL_CTX_use_certificate(ssl->ctx, x509) == 0) { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
442 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
443 "SSL_CTX_use_certificate(\"%s\") failed", cert->data); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
444 X509_free(x509); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
445 sk_X509_pop_free(chain, X509_free); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
446 return NGX_ERROR; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
447 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
448 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
449 if (X509_set_ex_data(x509, ngx_ssl_certificate_name_index, cert->data) |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
450 == 0) |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
451 { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
452 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
453 X509_free(x509); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
454 sk_X509_pop_free(chain, X509_free); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
455 return NGX_ERROR; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
456 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
457 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
458 if (X509_set_ex_data(x509, ngx_ssl_next_certificate_index, |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
459 SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index)) |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
460 == 0) |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
461 { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
462 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
463 X509_free(x509); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
464 sk_X509_pop_free(chain, X509_free); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
465 return NGX_ERROR; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
466 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
467 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
468 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, x509) == 0) { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
469 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
470 "SSL_CTX_set_ex_data() failed"); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
471 X509_free(x509); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
472 sk_X509_pop_free(chain, X509_free); |
| 547 | 473 return NGX_ERROR; |
| 474 } | |
| 475 | |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
476 /* |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
477 * Note that x509 is not freed here, but will be instead freed in |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
478 * ngx_ssl_cleanup_ctx(). This is because we need to preserve all |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
479 * certificates to be able to iterate all of them through exdata |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
480 * (ngx_ssl_certificate_index, ngx_ssl_next_certificate_index), |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
481 * while OpenSSL can free a certificate if it is replaced with another |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
482 * certificate of the same type. |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
483 */ |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
484 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
485 #ifdef SSL_CTX_set0_chain |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
486 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
487 if (SSL_CTX_set0_chain(ssl->ctx, chain) == 0) { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
488 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
489 "SSL_CTX_set0_chain(\"%s\") failed", cert->data); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
490 sk_X509_pop_free(chain, X509_free); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
491 return NGX_ERROR; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
492 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
493 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
494 #else |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
495 { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
496 int n; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
497 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
498 /* SSL_CTX_set0_chain() is only available in OpenSSL 1.0.2+ */ |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
499 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
500 n = sk_X509_num(chain); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
501 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
502 while (n--) { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
503 x509 = sk_X509_shift(chain); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
504 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
505 if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
506 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
507 "SSL_CTX_add_extra_chain_cert(\"%s\") failed", |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
508 cert->data); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
509 sk_X509_pop_free(chain, X509_free); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
510 return NGX_ERROR; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
511 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
512 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
513 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
514 sk_X509_free(chain); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
515 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
516 #endif |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
517 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
518 pkey = ngx_ssl_load_certificate_key(cf->pool, &err, key, passwords); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
519 if (pkey == NULL) { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
520 if (err != NULL) { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
521 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
522 "cannot load certificate key \"%s\": %s", |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
523 key->data, err); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
524 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
525 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
526 return NGX_ERROR; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
527 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
528 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
529 if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
530 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
531 "SSL_CTX_use_PrivateKey(\"%s\") failed", key->data); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
532 EVP_PKEY_free(pkey); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
533 return NGX_ERROR; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
534 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
535 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
536 EVP_PKEY_free(pkey); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
537 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
538 return NGX_OK; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
539 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
540 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
541 |
|
7461
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
542 ngx_int_t |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
543 ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
544 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords) |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
545 { |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
546 char *err; |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
547 X509 *x509; |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
548 EVP_PKEY *pkey; |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
549 STACK_OF(X509) *chain; |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
550 |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
551 x509 = ngx_ssl_load_certificate(pool, &err, cert, &chain); |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
552 if (x509 == NULL) { |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
553 if (err != NULL) { |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
554 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
555 "cannot load certificate \"%s\": %s", |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
556 cert->data, err); |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
557 } |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
558 |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
559 return NGX_ERROR; |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
560 } |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
561 |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
562 if (SSL_use_certificate(c->ssl->connection, x509) == 0) { |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
563 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
564 "SSL_use_certificate(\"%s\") failed", cert->data); |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
565 X509_free(x509); |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
566 sk_X509_pop_free(chain, X509_free); |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
567 return NGX_ERROR; |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
568 } |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
569 |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
570 X509_free(x509); |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
571 |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
572 #ifdef SSL_set0_chain |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
573 |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
574 /* |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
575 * SSL_set0_chain() is only available in OpenSSL 1.0.2+, |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
576 * but this function is only called via certificate callback, |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
577 * which is only available in OpenSSL 1.0.2+ as well |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
578 */ |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
579 |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
580 if (SSL_set0_chain(c->ssl->connection, chain) == 0) { |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
581 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
582 "SSL_set0_chain(\"%s\") failed", cert->data); |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
583 sk_X509_pop_free(chain, X509_free); |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
584 return NGX_ERROR; |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
585 } |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
586 |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
587 #endif |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
588 |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
589 pkey = ngx_ssl_load_certificate_key(pool, &err, key, passwords); |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
590 if (pkey == NULL) { |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
591 if (err != NULL) { |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
592 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
593 "cannot load certificate key \"%s\": %s", |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
594 key->data, err); |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
595 } |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
596 |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
597 return NGX_ERROR; |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
598 } |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
599 |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
600 if (SSL_use_PrivateKey(c->ssl->connection, pkey) == 0) { |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
601 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
602 "SSL_use_PrivateKey(\"%s\") failed", key->data); |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
603 EVP_PKEY_free(pkey); |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
604 return NGX_ERROR; |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
605 } |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
606 |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
607 EVP_PKEY_free(pkey); |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
608 |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
609 return NGX_OK; |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
610 } |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
611 |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
612 |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
613 static X509 * |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
614 ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
615 STACK_OF(X509) **chain) |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
616 { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
617 BIO *bio; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
618 X509 *x509, *temp; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
619 u_long n; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
620 |
|
7477
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
621 if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) { |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
622 |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
623 bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1, |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
624 cert->len - (sizeof("data:") - 1)); |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
625 if (bio == NULL) { |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
626 *err = "BIO_new_mem_buf() failed"; |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
627 return NULL; |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
628 } |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
629 |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
630 } else { |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
631 |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
632 if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, cert) |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
633 != NGX_OK) |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
634 { |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
635 *err = NULL; |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
636 return NULL; |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
637 } |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
638 |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
639 bio = BIO_new_file((char *) cert->data, "r"); |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
640 if (bio == NULL) { |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
641 *err = "BIO_new_file() failed"; |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
642 return NULL; |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
643 } |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
644 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
645 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
646 /* certificate itself */ |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
647 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
648 x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
649 if (x509 == NULL) { |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
650 *err = "PEM_read_bio_X509_AUX() failed"; |
|
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
651 BIO_free(bio); |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
652 return NULL; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
653 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
654 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
655 /* rest of the chain */ |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
656 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
657 *chain = sk_X509_new_null(); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
658 if (*chain == NULL) { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
659 *err = "sk_X509_new_null() failed"; |
|
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
660 BIO_free(bio); |
|
5384
cfbf1d1cc233
SSL: fixed possible memory and file descriptor leak on HUP signal.
Piotr Sikora <piotr@cloudflare.com>
parents:
5378
diff
changeset
|
661 X509_free(x509); |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
662 return NULL; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
663 } |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
664 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
665 for ( ;; ) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
666 |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
667 temp = PEM_read_bio_X509(bio, NULL, NULL, NULL); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
668 if (temp == NULL) { |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
669 n = ERR_peek_last_error(); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
670 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
671 if (ERR_GET_LIB(n) == ERR_LIB_PEM |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
672 && ERR_GET_REASON(n) == PEM_R_NO_START_LINE) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
673 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
674 /* end of file */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
675 ERR_clear_error(); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
676 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
677 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
678 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
679 /* some real error */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
680 |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
681 *err = "PEM_read_bio_X509() failed"; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
682 BIO_free(bio); |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
683 X509_free(x509); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
684 sk_X509_pop_free(*chain, X509_free); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
685 return NULL; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
686 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
687 |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
688 if (sk_X509_push(*chain, temp) == 0) { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
689 *err = "sk_X509_push() failed"; |
|
6549
d3302eb87a0c
SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6548
diff
changeset
|
690 BIO_free(bio); |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
691 X509_free(x509); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
692 sk_X509_pop_free(*chain, X509_free); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
693 return NULL; |
|
6549
d3302eb87a0c
SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6548
diff
changeset
|
694 } |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
695 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
696 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
697 BIO_free(bio); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
698 |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
699 return x509; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
700 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
701 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
702 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
703 static EVP_PKEY * |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
704 ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
705 ngx_str_t *key, ngx_array_t *passwords) |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
706 { |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
707 BIO *bio; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
708 EVP_PKEY *pkey; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
709 ngx_str_t *pwd; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
710 ngx_uint_t tries; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
711 pem_password_cb *cb; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
712 |
|
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
713 if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) { |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
714 |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
715 #ifndef OPENSSL_NO_ENGINE |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
716 |
|
7476
b6dc8a12c07a
SSL: removed redundant "pkey" variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7474
diff
changeset
|
717 u_char *p, *last; |
|
b6dc8a12c07a
SSL: removed redundant "pkey" variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7474
diff
changeset
|
718 ENGINE *engine; |
|
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
719 |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
720 p = key->data + sizeof("engine:") - 1; |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
721 last = (u_char *) ngx_strchr(p, ':'); |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
722 |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
723 if (last == NULL) { |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
724 *err = "invalid syntax"; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
725 return NULL; |
|
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
726 } |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
727 |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
728 *last = '\0'; |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
729 |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
730 engine = ENGINE_by_id((char *) p); |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
731 |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
732 if (engine == NULL) { |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
733 *err = "ENGINE_by_id() failed"; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
734 return NULL; |
|
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
735 } |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
736 |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
737 *last++ = ':'; |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
738 |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
739 pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
740 |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
741 if (pkey == NULL) { |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
742 *err = "ENGINE_load_private_key() failed"; |
|
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
743 ENGINE_free(engine); |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
744 return NULL; |
|
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
745 } |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
746 |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
747 ENGINE_free(engine); |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
748 |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
749 return pkey; |
|
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
750 |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
751 #else |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
752 |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
753 *err = "loading \"engine:...\" certificate keys is not supported"; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
754 return NULL; |
|
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
755 |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
756 #endif |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
757 } |
|
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
758 |
|
7477
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
759 if (ngx_strncmp(key->data, "data:", sizeof("data:") - 1) == 0) { |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
760 |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
761 bio = BIO_new_mem_buf(key->data + sizeof("data:") - 1, |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
762 key->len - (sizeof("data:") - 1)); |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
763 if (bio == NULL) { |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
764 *err = "BIO_new_mem_buf() failed"; |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
765 return NULL; |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
766 } |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
767 |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
768 } else { |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
769 |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
770 if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, key) |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
771 != NGX_OK) |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
772 { |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
773 *err = NULL; |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
774 return NULL; |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
775 } |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
776 |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
777 bio = BIO_new_file((char *) key->data, "r"); |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
778 if (bio == NULL) { |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
779 *err = "BIO_new_file() failed"; |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
780 return NULL; |
|
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
781 } |
| 563 | 782 } |
| 783 | |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
784 if (passwords) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
785 tries = passwords->nelts; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
786 pwd = passwords->elts; |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
787 cb = ngx_ssl_password_callback; |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
788 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
789 } else { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
790 tries = 1; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
791 pwd = NULL; |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
792 cb = NULL; |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
793 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
794 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
795 for ( ;; ) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
796 |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
797 pkey = PEM_read_bio_PrivateKey(bio, NULL, cb, pwd); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
798 if (pkey != NULL) { |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
799 break; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
800 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
801 |
|
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
802 if (tries-- > 1) { |
|
5892
42520df85ebb
SSL: simplified ssl_password_file error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
5882
diff
changeset
|
803 ERR_clear_error(); |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
804 (void) BIO_reset(bio); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
805 pwd++; |
|
5892
42520df85ebb
SSL: simplified ssl_password_file error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
5882
diff
changeset
|
806 continue; |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
807 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
808 |
|
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
809 *err = "PEM_read_bio_PrivateKey() failed"; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
810 BIO_free(bio); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
811 return NULL; |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
812 } |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
813 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
814 BIO_free(bio); |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
815 |
|
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
816 return pkey; |
| 547 | 817 } |
| 818 | |
| 819 | |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
820 static int |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
821 ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata) |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
822 { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
823 ngx_str_t *pwd = userdata; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
824 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
825 if (rwflag) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
826 ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
827 "ngx_ssl_password_callback() is called for encryption"); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
828 return 0; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
829 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
830 |
|
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
831 if (pwd == NULL) { |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
832 return 0; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
833 } |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
834 |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
835 if (pwd->len > (size_t) size) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
836 ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
837 "password is truncated to %d bytes", size); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
838 } else { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
839 size = pwd->len; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
840 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
841 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
842 ngx_memcpy(buf, pwd->data, size); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
843 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
844 return size; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
845 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
846 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
847 |
| 547 | 848 ngx_int_t |
|
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
849 ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
850 ngx_uint_t prefer_server_ciphers) |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
851 { |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
852 if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) { |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
853 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
854 "SSL_CTX_set_cipher_list(\"%V\") failed", |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
855 ciphers); |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
856 return NGX_ERROR; |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
857 } |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
858 |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
859 if (prefer_server_ciphers) { |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
860 SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
861 } |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
862 |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
863 return NGX_OK; |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
864 } |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
865 |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
866 |
|
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
867 ngx_int_t |
| 671 | 868 ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
| 869 ngx_int_t depth) | |
| 647 | 870 { |
| 671 | 871 STACK_OF(X509_NAME) *list; |
| 872 | |
|
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5081
diff
changeset
|
873 SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); |
| 671 | 874 |
| 875 SSL_CTX_set_verify_depth(ssl->ctx, depth); | |
| 876 | |
| 877 if (cert->len == 0) { | |
| 878 return NGX_OK; | |
| 879 } | |
| 880 | |
|
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
881 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { |
| 647 | 882 return NGX_ERROR; |
| 883 } | |
| 884 | |
| 885 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) | |
| 886 == 0) | |
| 887 { | |
| 888 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
| 889 "SSL_CTX_load_verify_locations(\"%s\") failed", | |
| 890 cert->data); | |
| 891 return NGX_ERROR; | |
| 892 } | |
| 893 | |
|
5365
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
894 /* |
|
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
895 * SSL_CTX_load_verify_locations() may leave errors in the error queue |
|
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
896 * while returning success |
|
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
897 */ |
|
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
898 |
|
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
899 ERR_clear_error(); |
|
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
900 |
| 671 | 901 list = SSL_load_client_CA_file((char *) cert->data); |
| 902 | |
| 903 if (list == NULL) { | |
| 904 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
| 905 "SSL_load_client_CA_file(\"%s\") failed", cert->data); | |
| 906 return NGX_ERROR; | |
| 907 } | |
| 908 | |
| 909 SSL_CTX_set_client_CA_list(ssl->ctx, list); | |
| 910 | |
| 647 | 911 return NGX_OK; |
| 912 } | |
| 913 | |
| 914 | |
| 2995 | 915 ngx_int_t |
|
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
916 ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
917 ngx_int_t depth) |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
918 { |
|
7672
3dcb1aba894a
SSL: fixed unexpected certificate requests (ticket #2008).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7664
diff
changeset
|
919 SSL_CTX_set_verify(ssl->ctx, SSL_CTX_get_verify_mode(ssl->ctx), |
|
3dcb1aba894a
SSL: fixed unexpected certificate requests (ticket #2008).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7664
diff
changeset
|
920 ngx_ssl_verify_callback); |
|
7664
699f6e55bbb4
SSL: added verify callback to ngx_ssl_trusted_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7653
diff
changeset
|
921 |
|
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
922 SSL_CTX_set_verify_depth(ssl->ctx, depth); |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
923 |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
924 if (cert->len == 0) { |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
925 return NGX_OK; |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
926 } |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
927 |
|
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
928 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { |
|
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
929 return NGX_ERROR; |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
930 } |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
931 |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
932 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
933 == 0) |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
934 { |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
935 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
936 "SSL_CTX_load_verify_locations(\"%s\") failed", |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
937 cert->data); |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
938 return NGX_ERROR; |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
939 } |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
940 |
|
5365
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
941 /* |
|
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
942 * SSL_CTX_load_verify_locations() may leave errors in the error queue |
|
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
943 * while returning success |
|
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
944 */ |
|
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
945 |
|
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
946 ERR_clear_error(); |
|
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
947 |
|
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
948 return NGX_OK; |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
949 } |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
950 |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
951 |
|
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
952 ngx_int_t |
| 2995 | 953 ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl) |
| 954 { | |
| 955 X509_STORE *store; | |
| 956 X509_LOOKUP *lookup; | |
| 957 | |
| 958 if (crl->len == 0) { | |
| 959 return NGX_OK; | |
| 960 } | |
| 961 | |
|
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
962 if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) { |
| 2995 | 963 return NGX_ERROR; |
| 964 } | |
| 965 | |
| 966 store = SSL_CTX_get_cert_store(ssl->ctx); | |
| 967 | |
| 968 if (store == NULL) { | |
| 969 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
| 970 "SSL_CTX_get_cert_store() failed"); | |
| 971 return NGX_ERROR; | |
| 972 } | |
| 973 | |
| 974 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); | |
| 975 | |
| 976 if (lookup == NULL) { | |
| 977 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
| 978 "X509_STORE_add_lookup() failed"); | |
| 979 return NGX_ERROR; | |
| 980 } | |
| 981 | |
| 982 if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM) | |
| 983 == 0) | |
| 984 { | |
| 985 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
| 986 "X509_LOOKUP_load_file(\"%s\") failed", crl->data); | |
| 987 return NGX_ERROR; | |
| 988 } | |
| 989 | |
| 990 X509_STORE_set_flags(store, | |
| 991 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); | |
| 992 | |
| 993 return NGX_OK; | |
| 994 } | |
| 995 | |
| 996 | |
| 671 | 997 static int |
|
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5081
diff
changeset
|
998 ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) |
| 671 | 999 { |
|
1977
40c9cb8576bb
get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents:
1976
diff
changeset
|
1000 #if (NGX_DEBUG) |
| 671 | 1001 char *subject, *issuer; |
| 1002 int err, depth; | |
| 1003 X509 *cert; | |
|
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1004 X509_NAME *sname, *iname; |
| 671 | 1005 ngx_connection_t *c; |
| 1006 ngx_ssl_conn_t *ssl_conn; | |
| 1007 | |
| 1008 ssl_conn = X509_STORE_CTX_get_ex_data(x509_store, | |
| 1009 SSL_get_ex_data_X509_STORE_CTX_idx()); | |
| 1010 | |
| 1011 c = ngx_ssl_get_connection(ssl_conn); | |
| 1012 | |
|
7781
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
1013 if (!(c->log->log_level & NGX_LOG_DEBUG_EVENT)) { |
|
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
1014 return 1; |
|
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
1015 } |
|
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
1016 |
| 671 | 1017 cert = X509_STORE_CTX_get_current_cert(x509_store); |
| 1018 err = X509_STORE_CTX_get_error(x509_store); | |
| 1019 depth = X509_STORE_CTX_get_error_depth(x509_store); | |
| 1020 | |
|
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1021 sname = X509_get_subject_name(cert); |
|
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1022 |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1023 if (sname) { |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1024 subject = X509_NAME_oneline(sname, NULL, 0); |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1025 if (subject == NULL) { |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1026 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1027 "X509_NAME_oneline() failed"); |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1028 } |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1029 |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1030 } else { |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1031 subject = NULL; |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1032 } |
|
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1033 |
|
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1034 iname = X509_get_issuer_name(cert); |
|
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1035 |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1036 if (iname) { |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1037 issuer = X509_NAME_oneline(iname, NULL, 0); |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1038 if (issuer == NULL) { |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1039 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1040 "X509_NAME_oneline() failed"); |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1041 } |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1042 |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1043 } else { |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1044 issuer = NULL; |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1045 } |
| 671 | 1046 |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1047 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, |
| 671 | 1048 "verify:%d, error:%d, depth:%d, " |
|
5775
294d020bbcfe
SSL: misplaced space in debug message.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5767
diff
changeset
|
1049 "subject:\"%s\", issuer:\"%s\"", |
|
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1050 ok, err, depth, |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1051 subject ? subject : "(none)", |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1052 issuer ? issuer : "(none)"); |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1053 |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1054 if (subject) { |
|
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1055 OPENSSL_free(subject); |
|
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1056 } |
|
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1057 |
|
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
1058 if (issuer) { |
|
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1059 OPENSSL_free(issuer); |
|
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1060 } |
|
1977
40c9cb8576bb
get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents:
1976
diff
changeset
|
1061 #endif |
|
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1062 |
| 671 | 1063 return 1; |
| 1064 } | |
| 1065 | |
| 1066 | |
|
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1067 static void |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1068 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1069 { |
|
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1070 BIO *rbio, *wbio; |
|
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1071 ngx_connection_t *c; |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1072 |
|
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1073 #ifndef SSL_OP_NO_RENEGOTIATION |
|
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1074 |
|
6982
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
1075 if ((where & SSL_CB_HANDSHAKE_START) |
|
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
1076 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn)) |
|
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
1077 { |
|
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1078 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1079 |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1080 if (c->ssl->handshaked) { |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1081 c->ssl->renegotiation = 1; |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1082 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1083 } |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1084 } |
|
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1085 |
|
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1086 #endif |
|
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1087 |
|
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1088 if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1089 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1090 |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1091 if (!c->ssl->handshake_buffer_set) { |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1092 /* |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1093 * By default OpenSSL uses 4k buffer during a handshake, |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1094 * which is too low for long certificate chains and might |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1095 * result in extra round-trips. |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1096 * |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1097 * To adjust a buffer size we detect that buffering was added |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1098 * to write side of the connection by comparing rbio and wbio. |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1099 * If they are different, we assume that it's due to buffering |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1100 * added to wbio, and set buffer size. |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1101 */ |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1102 |
|
7509
b99cbafd51da
SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7484
diff
changeset
|
1103 rbio = SSL_get_rbio(ssl_conn); |
|
b99cbafd51da
SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7484
diff
changeset
|
1104 wbio = SSL_get_wbio(ssl_conn); |
|
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1105 |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1106 if (rbio != wbio) { |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1107 (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE); |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1108 c->ssl->handshake_buffer_set = 1; |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1109 } |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1110 } |
|
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1111 } |
|
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1112 } |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1113 |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1114 |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1115 ngx_array_t * |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1116 ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file) |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1117 { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1118 u_char *p, *last, *end; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1119 size_t len; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1120 ssize_t n; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1121 ngx_fd_t fd; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1122 ngx_str_t *pwd; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1123 ngx_array_t *passwords; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1124 ngx_pool_cleanup_t *cln; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1125 u_char buf[NGX_SSL_PASSWORD_BUFFER_SIZE]; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1126 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1127 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1128 return NULL; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1129 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1130 |
|
7454
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1131 passwords = ngx_array_create(cf->temp_pool, 4, sizeof(ngx_str_t)); |
|
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1132 if (passwords == NULL) { |
|
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1133 return NULL; |
|
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1134 } |
|
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1135 |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1136 cln = ngx_pool_cleanup_add(cf->temp_pool, 0); |
|
7454
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1137 if (cln == NULL) { |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1138 return NULL; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1139 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1140 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1141 cln->handler = ngx_ssl_passwords_cleanup; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1142 cln->data = passwords; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1143 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1144 fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); |
| 7086 | 1145 |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1146 if (fd == NGX_INVALID_FILE) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1147 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1148 ngx_open_file_n " \"%s\" failed", file->data); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1149 return NULL; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1150 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1151 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1152 len = 0; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1153 last = buf; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1154 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1155 do { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1156 n = ngx_read_fd(fd, last, NGX_SSL_PASSWORD_BUFFER_SIZE - len); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1157 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1158 if (n == -1) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1159 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1160 ngx_read_fd_n " \"%s\" failed", file->data); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1161 passwords = NULL; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1162 goto cleanup; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1163 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1164 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1165 end = last + n; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1166 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1167 if (len && n == 0) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1168 *end++ = LF; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1169 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1170 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1171 p = buf; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1172 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1173 for ( ;; ) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1174 last = ngx_strlchr(last, end, LF); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1175 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1176 if (last == NULL) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1177 break; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1178 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1179 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1180 len = last++ - p; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1181 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1182 if (len && p[len - 1] == CR) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1183 len--; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1184 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1185 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1186 if (len) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1187 pwd = ngx_array_push(passwords); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1188 if (pwd == NULL) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1189 passwords = NULL; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1190 goto cleanup; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1191 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1192 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1193 pwd->len = len; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1194 pwd->data = ngx_pnalloc(cf->temp_pool, len); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1195 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1196 if (pwd->data == NULL) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1197 passwords->nelts--; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1198 passwords = NULL; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1199 goto cleanup; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1200 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1201 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1202 ngx_memcpy(pwd->data, p, len); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1203 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1204 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1205 p = last; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1206 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1207 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1208 len = end - p; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1209 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1210 if (len == NGX_SSL_PASSWORD_BUFFER_SIZE) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1211 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1212 "too long line in \"%s\"", file->data); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1213 passwords = NULL; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1214 goto cleanup; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1215 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1216 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1217 ngx_memmove(buf, p, len); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1218 last = buf + len; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1219 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1220 } while (n != 0); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1221 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1222 if (passwords->nelts == 0) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1223 pwd = ngx_array_push(passwords); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1224 if (pwd == NULL) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1225 passwords = NULL; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1226 goto cleanup; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1227 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1228 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1229 ngx_memzero(pwd, sizeof(ngx_str_t)); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1230 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1231 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1232 cleanup: |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1233 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1234 if (ngx_close_file(fd) == NGX_FILE_ERROR) { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1235 ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno, |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1236 ngx_close_file_n " \"%s\" failed", file->data); |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1237 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1238 |
|
7395
9ca82f273967
Core: ngx_explicit_memzero().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7372
diff
changeset
|
1239 ngx_explicit_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE); |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1240 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1241 return passwords; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1242 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1243 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1244 |
|
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1245 ngx_array_t * |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1246 ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords) |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1247 { |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1248 ngx_str_t *opwd, *pwd; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1249 ngx_uint_t i; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1250 ngx_array_t *pwds; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1251 ngx_pool_cleanup_t *cln; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1252 static ngx_array_t empty_passwords; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1253 |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1254 if (passwords == NULL) { |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1255 |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1256 /* |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1257 * If there are no passwords, an empty array is used |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1258 * to make sure OpenSSL's default password callback |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1259 * won't block on reading from stdin. |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1260 */ |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1261 |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1262 return &empty_passwords; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1263 } |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1264 |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1265 /* |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1266 * Passwords are normally allocated from the temporary pool |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1267 * and cleared after parsing configuration. To be used at |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1268 * runtime they have to be copied to the configuration pool. |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1269 */ |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1270 |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1271 pwds = ngx_array_create(cf->pool, passwords->nelts, sizeof(ngx_str_t)); |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1272 if (pwds == NULL) { |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1273 return NULL; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1274 } |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1275 |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1276 cln = ngx_pool_cleanup_add(cf->pool, 0); |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1277 if (cln == NULL) { |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1278 return NULL; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1279 } |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1280 |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1281 cln->handler = ngx_ssl_passwords_cleanup; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1282 cln->data = pwds; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1283 |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1284 opwd = passwords->elts; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1285 |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1286 for (i = 0; i < passwords->nelts; i++) { |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1287 |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1288 pwd = ngx_array_push(pwds); |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1289 if (pwd == NULL) { |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1290 return NULL; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1291 } |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1292 |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1293 pwd->len = opwd[i].len; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1294 pwd->data = ngx_pnalloc(cf->pool, pwd->len); |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1295 |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1296 if (pwd->data == NULL) { |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1297 pwds->nelts--; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1298 return NULL; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1299 } |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1300 |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1301 ngx_memcpy(pwd->data, opwd[i].data, opwd[i].len); |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1302 } |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1303 |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1304 return pwds; |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1305 } |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1306 |
|
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1307 |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1308 static void |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1309 ngx_ssl_passwords_cleanup(void *data) |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1310 { |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1311 ngx_array_t *passwords = data; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1312 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1313 ngx_str_t *pwd; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1314 ngx_uint_t i; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1315 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1316 pwd = passwords->elts; |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1317 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1318 for (i = 0; i < passwords->nelts; i++) { |
|
7395
9ca82f273967
Core: ngx_explicit_memzero().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7372
diff
changeset
|
1319 ngx_explicit_memzero(pwd[i].data, pwd[i].len); |
|
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1320 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1321 } |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1322 |
|
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1323 |
| 547 | 1324 ngx_int_t |
| 2044 | 1325 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) |
| 1326 { | |
| 1327 BIO *bio; | |
| 1328 | |
| 1329 if (file->len == 0) { | |
| 1330 return NGX_OK; | |
| 1331 } | |
| 1332 | |
|
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
1333 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
| 2044 | 1334 return NGX_ERROR; |
| 1335 } | |
| 1336 | |
| 1337 bio = BIO_new_file((char *) file->data, "r"); | |
| 1338 if (bio == NULL) { | |
| 1339 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
| 1340 "BIO_new_file(\"%s\") failed", file->data); | |
| 1341 return NGX_ERROR; | |
| 1342 } | |
| 1343 | |
|
7896
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1344 #ifdef SSL_CTX_set_tmp_dh |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1345 { |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1346 DH *dh; |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1347 |
| 2044 | 1348 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); |
| 1349 if (dh == NULL) { | |
| 1350 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
| 1351 "PEM_read_bio_DHparams(\"%s\") failed", file->data); | |
| 1352 BIO_free(bio); | |
| 1353 return NGX_ERROR; | |
| 1354 } | |
| 1355 | |
|
7892
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1356 if (SSL_CTX_set_tmp_dh(ssl->ctx, dh) != 1) { |
|
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1357 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1358 "SSL_CTX_set_tmp_dh(\"%s\") failed", file->data); |
|
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1359 DH_free(dh); |
|
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1360 BIO_free(bio); |
|
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1361 return NGX_ERROR; |
|
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7891
diff
changeset
|
1362 } |
| 2044 | 1363 |
| 1364 DH_free(dh); | |
|
7896
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1365 } |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1366 #else |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1367 { |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1368 EVP_PKEY *dh; |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1369 |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1370 /* |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1371 * PEM_read_bio_DHparams() and SSL_CTX_set_tmp_dh() |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1372 * are deprecated in OpenSSL 3.0 |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1373 */ |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1374 |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1375 dh = PEM_read_bio_Parameters(bio, NULL); |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1376 if (dh == NULL) { |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1377 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1378 "PEM_read_bio_Parameters(\"%s\") failed", file->data); |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1379 BIO_free(bio); |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1380 return NGX_ERROR; |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1381 } |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1382 |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1383 if (SSL_CTX_set0_tmp_dh_pkey(ssl->ctx, dh) != 1) { |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1384 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1385 "SSL_CTX_set0_tmp_dh_pkey(\%s\") failed", file->data); |
|
7994
aeab41dfd260
SSL: free pkey on SSL_CTX_set0_tmp_dh_pkey() failure.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7987
diff
changeset
|
1386 #if (OPENSSL_VERSION_NUMBER >= 0x3000001fL) |
|
aeab41dfd260
SSL: free pkey on SSL_CTX_set0_tmp_dh_pkey() failure.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7987
diff
changeset
|
1387 EVP_PKEY_free(dh); |
|
aeab41dfd260
SSL: free pkey on SSL_CTX_set0_tmp_dh_pkey() failure.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7987
diff
changeset
|
1388 #endif |
|
7896
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1389 BIO_free(bio); |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1390 return NGX_ERROR; |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1391 } |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1392 } |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1393 #endif |
|
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7894
diff
changeset
|
1394 |
| 2044 | 1395 BIO_free(bio); |
| 1396 | |
| 1397 return NGX_OK; | |
| 1398 } | |
| 1399 | |
| 4522 | 1400 |
| 3960 | 1401 ngx_int_t |
| 1402 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name) | |
| 1403 { | |
| 1404 #ifndef OPENSSL_NO_ECDH | |
| 1405 | |
| 1406 /* | |
| 1407 * Elliptic-Curve Diffie-Hellman parameters are either "named curves" | |
|
4572
67653855682e
Fixed spelling in multiline C comments.
Ruslan Ermilov <ru@nginx.com>
parents:
4522
diff
changeset
|
1408 * from RFC 4492 section 5.1.1, or explicitly described curves over |
| 6552 | 1409 * binary fields. OpenSSL only supports the "named curves", which provide |
| 3960 | 1410 * maximum interoperability. |
| 1411 */ | |
| 1412 | |
|
6983
3518287d995e
SSL: compatibility with OpenSSL master branch.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6982
diff
changeset
|
1413 #if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) |
|
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1414 |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1415 /* |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1416 * OpenSSL 1.0.2+ allows configuring a curve list instead of a single |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1417 * curve previously supported. By default an internal list is used, |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1418 * with prime256v1 being preferred by server in OpenSSL 1.0.2b+ |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1419 * and X25519 in OpenSSL 1.1.0+. |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1420 * |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1421 * By default a curve preferred by the client will be used for |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1422 * key exchange. The SSL_OP_CIPHER_SERVER_PREFERENCE option can |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1423 * be used to prefer server curves instead, similar to what it |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1424 * does for ciphers. |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1425 */ |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1426 |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1427 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1428 |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1429 #if SSL_CTRL_SET_ECDH_AUTO |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1430 /* not needed in OpenSSL 1.1.0+ */ |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1431 SSL_CTX_set_ecdh_auto(ssl->ctx, 1); |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1432 #endif |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1433 |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1434 if (ngx_strcmp(name->data, "auto") == 0) { |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1435 return NGX_OK; |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1436 } |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1437 |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1438 if (SSL_CTX_set1_curves_list(ssl->ctx, (char *) name->data) == 0) { |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1439 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1440 "SSL_CTX_set1_curves_list(\"%s\") failed", name->data); |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1441 return NGX_ERROR; |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1442 } |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1443 |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1444 #else |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1445 |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1446 int nid; |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1447 char *curve; |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1448 EC_KEY *ecdh; |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1449 |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1450 if (ngx_strcmp(name->data, "auto") == 0) { |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1451 curve = "prime256v1"; |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1452 |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1453 } else { |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1454 curve = (char *) name->data; |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1455 } |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1456 |
|
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1457 nid = OBJ_sn2nid(curve); |
| 3960 | 1458 if (nid == 0) { |
| 1459 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
|
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1460 "OBJ_sn2nid(\"%s\") failed: unknown curve", curve); |
| 3960 | 1461 return NGX_ERROR; |
| 1462 } | |
| 1463 | |
| 1464 ecdh = EC_KEY_new_by_curve_name(nid); | |
| 1465 if (ecdh == NULL) { | |
| 1466 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
|
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1467 "EC_KEY_new_by_curve_name(\"%s\") failed", curve); |
| 3960 | 1468 return NGX_ERROR; |
| 1469 } | |
| 1470 | |
|
5003
82234f3f5ca2
SSL: speedup loading of configs with many ssl servers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4877
diff
changeset
|
1471 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); |
|
82234f3f5ca2
SSL: speedup loading of configs with many ssl servers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4877
diff
changeset
|
1472 |
| 3960 | 1473 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh); |
| 1474 | |
| 1475 EC_KEY_free(ecdh); | |
| 1476 #endif | |
| 1477 #endif | |
| 1478 | |
| 1479 return NGX_OK; | |
| 1480 } | |
| 2044 | 1481 |
| 4522 | 1482 |
| 2044 | 1483 ngx_int_t |
|
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1484 ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable) |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1485 { |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1486 if (!enable) { |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1487 return NGX_OK; |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1488 } |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1489 |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1490 #ifdef SSL_ERROR_EARLY_DATA_REJECTED |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1491 |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1492 /* BoringSSL */ |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1493 |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1494 SSL_CTX_set_early_data_enabled(ssl->ctx, 1); |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1495 |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1496 #elif defined SSL_READ_EARLY_DATA_SUCCESS |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1497 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1498 /* OpenSSL */ |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1499 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1500 SSL_CTX_set_max_early_data(ssl->ctx, NGX_SSL_BUFSIZE); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1501 |
|
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1502 #else |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1503 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1504 "\"ssl_early_data\" is not supported on this platform, " |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1505 "ignored"); |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1506 #endif |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1507 |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1508 return NGX_OK; |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1509 } |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1510 |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1511 |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1512 ngx_int_t |
|
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1513 ngx_ssl_conf_commands(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *commands) |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1514 { |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1515 if (commands == NULL) { |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1516 return NGX_OK; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1517 } |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1518 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1519 #ifdef SSL_CONF_FLAG_FILE |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1520 { |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1521 int type; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1522 u_char *key, *value; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1523 ngx_uint_t i; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1524 ngx_keyval_t *cmd; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1525 SSL_CONF_CTX *cctx; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1526 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1527 cctx = SSL_CONF_CTX_new(); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1528 if (cctx == NULL) { |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1529 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1530 "SSL_CONF_CTX_new() failed"); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1531 return NGX_ERROR; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1532 } |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1533 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1534 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1535 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1536 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1537 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1538 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1539 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1540 SSL_CONF_CTX_set_ssl_ctx(cctx, ssl->ctx); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1541 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1542 cmd = commands->elts; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1543 for (i = 0; i < commands->nelts; i++) { |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1544 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1545 key = cmd[i].key.data; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1546 type = SSL_CONF_cmd_value_type(cctx, (char *) key); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1547 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1548 if (type == SSL_CONF_TYPE_FILE || type == SSL_CONF_TYPE_DIR) { |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1549 if (ngx_conf_full_name(cf->cycle, &cmd[i].value, 1) != NGX_OK) { |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1550 SSL_CONF_CTX_free(cctx); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1551 return NGX_ERROR; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1552 } |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1553 } |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1554 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1555 value = cmd[i].value.data; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1556 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1557 if (SSL_CONF_cmd(cctx, (char *) key, (char *) value) <= 0) { |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1558 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1559 "SSL_CONF_cmd(\"%s\", \"%s\") failed", key, value); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1560 SSL_CONF_CTX_free(cctx); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1561 return NGX_ERROR; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1562 } |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1563 } |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1564 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1565 if (SSL_CONF_CTX_finish(cctx) != 1) { |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1566 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1567 "SSL_CONF_finish() failed"); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1568 SSL_CONF_CTX_free(cctx); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1569 return NGX_ERROR; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1570 } |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1571 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1572 SSL_CONF_CTX_free(cctx); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1573 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1574 return NGX_OK; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1575 } |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1576 #else |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1577 ngx_log_error(NGX_LOG_EMERG, ssl->log, 0, |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1578 "SSL_CONF_cmd() is not available on this platform"); |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1579 return NGX_ERROR; |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1580 #endif |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1581 } |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1582 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1583 |
|
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7709
diff
changeset
|
1584 ngx_int_t |
|
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1585 ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable) |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1586 { |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1587 if (!enable) { |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1588 return NGX_OK; |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1589 } |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1590 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1591 SSL_CTX_set_session_cache_mode(ssl->ctx, |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1592 SSL_SESS_CACHE_CLIENT |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1593 |SSL_SESS_CACHE_NO_INTERNAL); |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1594 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1595 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_client_session); |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1596 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1597 return NGX_OK; |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1598 } |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1599 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1600 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1601 static int |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1602 ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1603 { |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1604 ngx_connection_t *c; |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1605 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1606 c = ngx_ssl_get_connection(ssl_conn); |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1607 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1608 if (c->ssl->save_session) { |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1609 c->ssl->session = sess; |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1610 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1611 c->ssl->save_session(c); |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1612 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1613 c->ssl->session = NULL; |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1614 } |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1615 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1616 return 0; |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1617 } |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1618 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1619 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1620 ngx_int_t |
| 547 | 1621 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) |
| 577 | 1622 { |
| 547 | 1623 ngx_ssl_connection_t *sc; |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1624 |
| 547 | 1625 sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t)); |
| 1626 if (sc == NULL) { | |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1627 return NGX_ERROR; |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1628 } |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1629 |
|
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1630 sc->buffer = ((flags & NGX_SSL_BUFFER) != 0); |
|
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
1631 sc->buffer_size = ssl->buffer_size; |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1632 |
|
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
1633 sc->session_ctx = ssl->ctx; |
|
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
1634 |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1635 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1636 if (SSL_CTX_get_max_early_data(ssl->ctx)) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1637 sc->try_early_data = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1638 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1639 #endif |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1640 |
| 547 | 1641 sc->connection = SSL_new(ssl->ctx); |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1642 |
| 547 | 1643 if (sc->connection == NULL) { |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1644 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_new() failed"); |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1645 return NGX_ERROR; |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1646 } |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1647 |
| 547 | 1648 if (SSL_set_fd(sc->connection, c->fd) == 0) { |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1649 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_fd() failed"); |
|
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1650 return NGX_ERROR; |
|
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1651 } |
|
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1652 |
| 577 | 1653 if (flags & NGX_SSL_CLIENT) { |
| 1654 SSL_set_connect_state(sc->connection); | |
| 1655 | |
| 1656 } else { | |
| 1657 SSL_set_accept_state(sc->connection); | |
|
7319
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1658 |
|
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1659 #ifdef SSL_OP_NO_RENEGOTIATION |
|
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1660 SSL_set_options(sc->connection, SSL_OP_NO_RENEGOTIATION); |
|
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1661 #endif |
| 577 | 1662 } |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1663 |
| 969 | 1664 if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) { |
| 671 | 1665 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed"); |
| 1666 return NGX_ERROR; | |
| 1667 } | |
| 1668 | |
| 547 | 1669 c->ssl = sc; |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1670 |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1671 return NGX_OK; |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1672 } |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1673 |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1674 |
|
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1675 ngx_ssl_session_t * |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1676 ngx_ssl_get_session(ngx_connection_t *c) |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1677 { |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1678 #ifdef TLS1_3_VERSION |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1679 if (c->ssl->session) { |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1680 SSL_SESSION_up_ref(c->ssl->session); |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1681 return c->ssl->session; |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1682 } |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1683 #endif |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1684 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1685 return SSL_get1_session(c->ssl->connection); |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1686 } |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1687 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1688 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1689 ngx_ssl_session_t * |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1690 ngx_ssl_get0_session(ngx_connection_t *c) |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1691 { |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1692 if (c->ssl->session) { |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1693 return c->ssl->session; |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1694 } |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1695 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1696 return SSL_get0_session(c->ssl->connection); |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1697 } |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1698 |
|
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1699 |
| 547 | 1700 ngx_int_t |
| 577 | 1701 ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session) |
| 1702 { | |
| 1703 if (session) { | |
| 1704 if (SSL_set_session(c->ssl->connection, session) == 0) { | |
| 1705 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_session() failed"); | |
| 1706 return NGX_ERROR; | |
| 1707 } | |
| 1708 } | |
| 1709 | |
| 1710 return NGX_OK; | |
| 1711 } | |
| 1712 | |
| 1713 | |
| 1714 ngx_int_t | |
| 547 | 1715 ngx_ssl_handshake(ngx_connection_t *c) |
| 1716 { | |
| 1717 int n, sslerr; | |
| 1718 ngx_err_t err; | |
|
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1719 ngx_int_t rc; |
| 547 | 1720 |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1721 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1722 if (c->ssl->try_early_data) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1723 return ngx_ssl_try_early_data(c); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1724 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1725 #endif |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1726 |
|
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1727 if (c->ssl->in_ocsp) { |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1728 return ngx_ssl_ocsp_validate(c); |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1729 } |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1730 |
|
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1731 ngx_ssl_clear_error(c->log); |
|
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1732 |
| 547 | 1733 n = SSL_do_handshake(c->ssl->connection); |
| 1734 | |
| 577 | 1735 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n); |
| 547 | 1736 |
| 1737 if (n == 1) { | |
| 1738 | |
|
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1739 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
| 547 | 1740 return NGX_ERROR; |
| 1741 } | |
| 1742 | |
|
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1743 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
| 547 | 1744 return NGX_ERROR; |
| 1745 } | |
| 1746 | |
| 1747 #if (NGX_DEBUG) | |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1748 ngx_ssl_handshake_log(c); |
| 547 | 1749 #endif |
| 1750 | |
| 1751 c->recv = ngx_ssl_recv; | |
| 1752 c->send = ngx_ssl_write; | |
| 577 | 1753 c->recv_chain = ngx_ssl_recv_chain; |
| 1754 c->send_chain = ngx_ssl_send_chain; | |
| 547 | 1755 |
|
7891
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1756 c->read->ready = 1; |
|
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1757 c->write->ready = 1; |
|
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1758 |
|
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1759 #ifndef SSL_OP_NO_RENEGOTIATION |
|
6255
b40af2fd1c16
SSL: compatibility with OpenSSL master branch.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6036
diff
changeset
|
1760 #if OPENSSL_VERSION_NUMBER < 0x10100000L |
|
5946
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1761 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS |
|
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1762 |
|
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1763 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ |
|
6995
eb5d119323d8
SSL: allowed renegotiation in client mode with OpenSSL < 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6983
diff
changeset
|
1764 if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) { |
|
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1765 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1766 } |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1767 |
|
5946
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1768 #endif |
|
6255
b40af2fd1c16
SSL: compatibility with OpenSSL master branch.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6036
diff
changeset
|
1769 #endif |
|
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1770 #endif |
|
5946
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1771 |
|
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1772 #ifdef BIO_get_ktls_send |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1773 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1774 if (BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)) == 1) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1775 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1776 "BIO_get_ktls_send(): 1"); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1777 c->ssl->sendfile = 1; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1778 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1779 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1780 #endif |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1781 |
|
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1782 rc = ngx_ssl_ocsp_validate(c); |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1783 |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1784 if (rc == NGX_ERROR) { |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1785 return NGX_ERROR; |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1786 } |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1787 |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1788 if (rc == NGX_AGAIN) { |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1789 c->read->handler = ngx_ssl_handshake_handler; |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1790 c->write->handler = ngx_ssl_handshake_handler; |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1791 return NGX_AGAIN; |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1792 } |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1793 |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1794 c->ssl->handshaked = 1; |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1795 |
| 547 | 1796 return NGX_OK; |
| 1797 } | |
| 1798 | |
| 1799 sslerr = SSL_get_error(c->ssl->connection, n); | |
| 1800 | |
| 1801 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); | |
| 1802 | |
| 1803 if (sslerr == SSL_ERROR_WANT_READ) { | |
| 1804 c->read->ready = 0; | |
| 1805 c->read->handler = ngx_ssl_handshake_handler; | |
| 591 | 1806 c->write->handler = ngx_ssl_handshake_handler; |
| 547 | 1807 |
|
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1808 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
| 547 | 1809 return NGX_ERROR; |
| 1810 } | |
| 1811 | |
|
5024
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1812 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
|
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1813 return NGX_ERROR; |
|
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1814 } |
|
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1815 |
| 547 | 1816 return NGX_AGAIN; |
| 1817 } | |
| 1818 | |
| 1819 if (sslerr == SSL_ERROR_WANT_WRITE) { | |
| 1820 c->write->ready = 0; | |
| 591 | 1821 c->read->handler = ngx_ssl_handshake_handler; |
| 547 | 1822 c->write->handler = ngx_ssl_handshake_handler; |
| 1823 | |
|
5024
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1824 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
|
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1825 return NGX_ERROR; |
|
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1826 } |
|
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1827 |
|
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1828 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
| 547 | 1829 return NGX_ERROR; |
| 1830 } | |
| 1831 | |
| 1832 return NGX_AGAIN; | |
| 1833 } | |
| 1834 | |
| 1835 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; | |
| 1836 | |
| 1837 c->ssl->no_wait_shutdown = 1; | |
| 1838 c->ssl->no_send_shutdown = 1; | |
| 591 | 1839 c->read->eof = 1; |
| 547 | 1840 |
| 1841 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { | |
|
5747
57c05ff57980
SSL: logging level of "peer closed connection in SSL handshake".
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
1842 ngx_connection_error(c, err, |
|
57c05ff57980
SSL: logging level of "peer closed connection in SSL handshake".
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
1843 "peer closed connection in SSL handshake"); |
| 547 | 1844 |
| 1845 return NGX_ERROR; | |
| 1846 } | |
| 1847 | |
|
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1848 if (c->ssl->handshake_rejected) { |
|
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1849 ngx_connection_error(c, err, "handshake rejected"); |
|
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1850 ERR_clear_error(); |
|
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1851 |
|
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1852 return NGX_ERROR; |
|
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1853 } |
|
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
1854 |
| 591 | 1855 c->read->error = 1; |
| 1856 | |
| 547 | 1857 ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed"); |
| 1858 | |
| 1859 return NGX_ERROR; | |
| 1860 } | |
| 1861 | |
| 1862 | |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1863 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1864 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1865 static ngx_int_t |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1866 ngx_ssl_try_early_data(ngx_connection_t *c) |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1867 { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1868 int n, sslerr; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1869 u_char buf; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1870 size_t readbytes; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1871 ngx_err_t err; |
|
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1872 ngx_int_t rc; |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1873 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1874 ngx_ssl_clear_error(c->log); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1875 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1876 readbytes = 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1877 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1878 n = SSL_read_early_data(c->ssl->connection, &buf, 1, &readbytes); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1879 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1880 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1881 "SSL_read_early_data: %d, %uz", n, readbytes); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1882 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1883 if (n == SSL_READ_EARLY_DATA_FINISH) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1884 c->ssl->try_early_data = 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1885 return ngx_ssl_handshake(c); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1886 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1887 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1888 if (n == SSL_READ_EARLY_DATA_SUCCESS) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1889 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1890 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1891 return NGX_ERROR; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1892 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1893 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1894 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1895 return NGX_ERROR; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1896 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1897 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1898 #if (NGX_DEBUG) |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1899 ngx_ssl_handshake_log(c); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1900 #endif |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1901 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1902 c->ssl->try_early_data = 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1903 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1904 c->ssl->early_buf = buf; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1905 c->ssl->early_preread = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1906 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1907 c->ssl->in_early = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1908 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1909 c->recv = ngx_ssl_recv; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1910 c->send = ngx_ssl_write; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1911 c->recv_chain = ngx_ssl_recv_chain; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1912 c->send_chain = ngx_ssl_send_chain; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1913 |
|
7891
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1914 c->read->ready = 1; |
|
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1915 c->write->ready = 1; |
|
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7871
diff
changeset
|
1916 |
|
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1917 #ifdef BIO_get_ktls_send |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1918 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1919 if (BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)) == 1) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1920 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1921 "BIO_get_ktls_send(): 1"); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1922 c->ssl->sendfile = 1; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1923 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1924 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1925 #endif |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
1926 |
|
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1927 rc = ngx_ssl_ocsp_validate(c); |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1928 |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1929 if (rc == NGX_ERROR) { |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1930 return NGX_ERROR; |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1931 } |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1932 |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1933 if (rc == NGX_AGAIN) { |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1934 c->read->handler = ngx_ssl_handshake_handler; |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1935 c->write->handler = ngx_ssl_handshake_handler; |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1936 return NGX_AGAIN; |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1937 } |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1938 |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1939 c->ssl->handshaked = 1; |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1940 |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1941 return NGX_OK; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1942 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1943 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1944 /* SSL_READ_EARLY_DATA_ERROR */ |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1945 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1946 sslerr = SSL_get_error(c->ssl->connection, n); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1947 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1948 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1949 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1950 if (sslerr == SSL_ERROR_WANT_READ) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1951 c->read->ready = 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1952 c->read->handler = ngx_ssl_handshake_handler; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1953 c->write->handler = ngx_ssl_handshake_handler; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1954 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1955 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1956 return NGX_ERROR; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1957 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1958 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1959 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1960 return NGX_ERROR; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1961 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1962 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1963 return NGX_AGAIN; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1964 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1965 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1966 if (sslerr == SSL_ERROR_WANT_WRITE) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1967 c->write->ready = 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1968 c->read->handler = ngx_ssl_handshake_handler; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1969 c->write->handler = ngx_ssl_handshake_handler; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1970 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1971 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1972 return NGX_ERROR; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1973 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1974 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1975 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1976 return NGX_ERROR; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1977 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1978 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1979 return NGX_AGAIN; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1980 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1981 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1982 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1983 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1984 c->ssl->no_wait_shutdown = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1985 c->ssl->no_send_shutdown = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1986 c->read->eof = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1987 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1988 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1989 ngx_connection_error(c, err, |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1990 "peer closed connection in SSL handshake"); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1991 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1992 return NGX_ERROR; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1993 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1994 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1995 c->read->error = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1996 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1997 ngx_ssl_connection_error(c, sslerr, err, "SSL_read_early_data() failed"); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1998 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1999 return NGX_ERROR; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2000 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2001 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2002 #endif |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2003 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2004 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2005 #if (NGX_DEBUG) |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2006 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2007 static void |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2008 ngx_ssl_handshake_log(ngx_connection_t *c) |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2009 { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2010 char buf[129], *s, *d; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2011 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2012 const |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2013 #endif |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2014 SSL_CIPHER *cipher; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2015 |
|
7781
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
2016 if (!(c->log->log_level & NGX_LOG_DEBUG_EVENT)) { |
|
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
2017 return; |
|
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
2018 } |
|
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7780
diff
changeset
|
2019 |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2020 cipher = SSL_get_current_cipher(c->ssl->connection); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2021 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2022 if (cipher) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2023 SSL_CIPHER_description(cipher, &buf[1], 128); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2024 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2025 for (s = &buf[1], d = buf; *s; s++) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2026 if (*s == ' ' && *d == ' ') { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2027 continue; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2028 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2029 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2030 if (*s == LF || *s == CR) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2031 continue; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2032 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2033 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2034 *++d = *s; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2035 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2036 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2037 if (*d != ' ') { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2038 d++; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2039 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2040 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2041 *d = '\0'; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2042 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2043 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2044 "SSL: %s, cipher: \"%s\"", |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2045 SSL_get_version(c->ssl->connection), &buf[1]); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2046 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2047 if (SSL_session_reused(c->ssl->connection)) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2048 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2049 "SSL reused session"); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2050 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2051 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2052 } else { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2053 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2054 "SSL no shared ciphers"); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2055 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2056 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2057 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2058 #endif |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2059 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2060 |
| 547 | 2061 static void |
| 2062 ngx_ssl_handshake_handler(ngx_event_t *ev) | |
| 2063 { | |
| 2064 ngx_connection_t *c; | |
| 2065 | |
| 2066 c = ev->data; | |
| 2067 | |
| 549 | 2068 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
| 577 | 2069 "SSL handshake handler: %d", ev->write); |
| 547 | 2070 |
| 591 | 2071 if (ev->timedout) { |
| 2072 c->ssl->handler(c); | |
| 2073 return; | |
| 2074 } | |
| 2075 | |
| 547 | 2076 if (ngx_ssl_handshake(c) == NGX_AGAIN) { |
| 2077 return; | |
| 2078 } | |
| 2079 | |
| 2080 c->ssl->handler(c); | |
| 2081 } | |
| 2082 | |
| 2083 | |
| 489 | 2084 ssize_t |
|
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2085 ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit) |
| 577 | 2086 { |
|
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2087 u_char *last; |
|
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2088 ssize_t n, bytes, size; |
| 577 | 2089 ngx_buf_t *b; |
| 2090 | |
| 2091 bytes = 0; | |
| 2092 | |
|
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2093 b = cl->buf; |
|
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2094 last = b->last; |
|
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2095 |
|
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2096 for ( ;; ) { |
|
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2097 size = b->end - last; |
|
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2098 |
|
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2099 if (limit) { |
|
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2100 if (bytes >= limit) { |
|
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2101 return bytes; |
|
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2102 } |
|
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2103 |
|
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2104 if (bytes + size > limit) { |
|
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2105 size = (ssize_t) (limit - bytes); |
|
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2106 } |
|
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2107 } |
|
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2108 |
|
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2109 n = ngx_ssl_recv(c, last, size); |
| 577 | 2110 |
| 2111 if (n > 0) { | |
|
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2112 last += n; |
| 577 | 2113 bytes += n; |
| 2114 | |
|
7582
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
2115 if (!c->read->ready) { |
|
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
2116 return bytes; |
|
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
2117 } |
|
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
2118 |
|
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2119 if (last == b->end) { |
| 577 | 2120 cl = cl->next; |
|
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2121 |
|
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2122 if (cl == NULL) { |
|
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2123 return bytes; |
|
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2124 } |
|
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2125 |
|
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2126 b = cl->buf; |
|
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2127 last = b->last; |
| 577 | 2128 } |
| 2129 | |
| 2130 continue; | |
| 2131 } | |
| 2132 | |
| 2133 if (bytes) { | |
|
2052
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2134 |
|
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2135 if (n == 0 || n == NGX_ERROR) { |
|
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2136 c->read->ready = 1; |
|
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2137 } |
|
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2138 |
| 577 | 2139 return bytes; |
| 2140 } | |
| 2141 | |
| 2142 return n; | |
| 2143 } | |
| 2144 } | |
| 2145 | |
| 2146 | |
| 2147 ssize_t | |
| 489 | 2148 ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size) |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2149 { |
| 489 | 2150 int n, bytes; |
| 2151 | |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2152 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2153 if (c->ssl->in_early) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2154 return ngx_ssl_recv_early(c, buf, size); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2155 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2156 #endif |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2157 |
| 489 | 2158 if (c->ssl->last == NGX_ERROR) { |
|
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2159 c->read->error = 1; |
| 489 | 2160 return NGX_ERROR; |
| 2161 } | |
| 2162 | |
| 577 | 2163 if (c->ssl->last == NGX_DONE) { |
|
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2164 c->read->ready = 0; |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2165 c->read->eof = 1; |
| 577 | 2166 return 0; |
| 2167 } | |
| 2168 | |
| 489 | 2169 bytes = 0; |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2170 |
|
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2171 ngx_ssl_clear_error(c->log); |
|
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2172 |
| 489 | 2173 /* |
| 2174 * SSL_read() may return data in parts, so try to read | |
| 2175 * until SSL_read() would return no data | |
| 2176 */ | |
| 2177 | |
| 2178 for ( ;; ) { | |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2179 |
| 543 | 2180 n = SSL_read(c->ssl->connection, buf, size); |
| 489 | 2181 |
| 577 | 2182 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n); |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2183 |
| 489 | 2184 if (n > 0) { |
| 2185 bytes += n; | |
| 2186 } | |
| 2187 | |
| 2188 c->ssl->last = ngx_ssl_handle_recv(c, n); | |
| 2189 | |
|
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2190 if (c->ssl->last == NGX_OK) { |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2191 |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2192 size -= n; |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2193 |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2194 if (size == 0) { |
|
5450
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2195 c->read->ready = 1; |
|
7584
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2196 |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2197 if (c->read->available >= 0) { |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2198 c->read->available -= bytes; |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2199 |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2200 /* |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2201 * there can be data buffered at SSL layer, |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2202 * so we post an event to continue reading on the next |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2203 * iteration of the event loop |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2204 */ |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2205 |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2206 if (c->read->available < 0) { |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2207 c->read->available = 0; |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2208 c->read->ready = 0; |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2209 |
|
7617
f1720934c45b
SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7612
diff
changeset
|
2210 if (c->read->posted) { |
|
f1720934c45b
SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7612
diff
changeset
|
2211 ngx_delete_posted_event(c->read); |
|
f1720934c45b
SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7612
diff
changeset
|
2212 } |
|
f1720934c45b
SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7612
diff
changeset
|
2213 |
|
7584
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2214 ngx_post_event(c->read, &ngx_posted_next_events); |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2215 } |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2216 |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2217 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2218 "SSL_read: avail:%d", c->read->available); |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2219 |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2220 } else { |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2221 |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2222 #if (NGX_HAVE_FIONREAD) |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2223 |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2224 if (ngx_socket_nread(c->fd, &c->read->available) == -1) { |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2225 c->read->error = 1; |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2226 ngx_connection_error(c, ngx_socket_errno, |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2227 ngx_socket_nread_n " failed"); |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2228 return NGX_ERROR; |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2229 } |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2230 |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2231 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2232 "SSL_read: avail:%d", c->read->available); |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2233 |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2234 #endif |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2235 } |
|
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2236 |
| 489 | 2237 return bytes; |
| 577 | 2238 } |
| 489 | 2239 |
|
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2240 buf += n; |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2241 |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2242 continue; |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2243 } |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2244 |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2245 if (bytes) { |
|
5450
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2246 if (c->ssl->last != NGX_AGAIN) { |
|
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2247 c->read->ready = 1; |
|
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2248 } |
|
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2249 |
|
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2250 return bytes; |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2251 } |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2252 |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2253 switch (c->ssl->last) { |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2254 |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2255 case NGX_DONE: |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2256 c->read->ready = 0; |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2257 c->read->eof = 1; |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2258 return 0; |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2259 |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2260 case NGX_ERROR: |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2261 c->read->error = 1; |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2262 |
|
4499
778ef9c3fd2d
Fixed spelling in single-line comments.
Ruslan Ermilov <ru@nginx.com>
parents:
4497
diff
changeset
|
2263 /* fall through */ |
|
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2264 |
|
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2265 case NGX_AGAIN: |
| 577 | 2266 return c->ssl->last; |
| 479 | 2267 } |
| 489 | 2268 } |
| 2269 } | |
| 2270 | |
| 2271 | |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2272 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2273 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2274 static ssize_t |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2275 ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf, size_t size) |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2276 { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2277 int n, bytes; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2278 size_t readbytes; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2279 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2280 if (c->ssl->last == NGX_ERROR) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2281 c->read->error = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2282 return NGX_ERROR; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2283 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2284 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2285 if (c->ssl->last == NGX_DONE) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2286 c->read->ready = 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2287 c->read->eof = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2288 return 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2289 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2290 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2291 bytes = 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2292 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2293 ngx_ssl_clear_error(c->log); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2294 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2295 if (c->ssl->early_preread) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2296 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2297 if (size == 0) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2298 c->read->ready = 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2299 c->read->eof = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2300 return 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2301 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2302 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2303 *buf = c->ssl->early_buf; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2304 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2305 c->ssl->early_preread = 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2306 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2307 bytes = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2308 size -= 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2309 buf += 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2310 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2311 |
|
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2312 if (c->ssl->write_blocked) { |
|
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2313 return NGX_AGAIN; |
|
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2314 } |
|
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2315 |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2316 /* |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2317 * SSL_read_early_data() may return data in parts, so try to read |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2318 * until SSL_read_early_data() would return no data |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2319 */ |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2320 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2321 for ( ;; ) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2322 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2323 readbytes = 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2324 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2325 n = SSL_read_early_data(c->ssl->connection, buf, size, &readbytes); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2326 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2327 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2328 "SSL_read_early_data: %d, %uz", n, readbytes); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2329 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2330 if (n == SSL_READ_EARLY_DATA_SUCCESS) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2331 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2332 c->ssl->last = ngx_ssl_handle_recv(c, 1); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2333 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2334 bytes += readbytes; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2335 size -= readbytes; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2336 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2337 if (size == 0) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2338 c->read->ready = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2339 return bytes; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2340 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2341 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2342 buf += readbytes; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2343 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2344 continue; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2345 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2346 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2347 if (n == SSL_READ_EARLY_DATA_FINISH) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2348 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2349 c->ssl->last = ngx_ssl_handle_recv(c, 1); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2350 c->ssl->in_early = 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2351 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2352 if (bytes) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2353 c->read->ready = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2354 return bytes; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2355 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2356 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2357 return ngx_ssl_recv(c, buf, size); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2358 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2359 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2360 /* SSL_READ_EARLY_DATA_ERROR */ |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2361 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2362 c->ssl->last = ngx_ssl_handle_recv(c, 0); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2363 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2364 if (bytes) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2365 if (c->ssl->last != NGX_AGAIN) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2366 c->read->ready = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2367 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2368 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2369 return bytes; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2370 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2371 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2372 switch (c->ssl->last) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2373 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2374 case NGX_DONE: |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2375 c->read->ready = 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2376 c->read->eof = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2377 return 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2378 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2379 case NGX_ERROR: |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2380 c->read->error = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2381 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2382 /* fall through */ |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2383 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2384 case NGX_AGAIN: |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2385 return c->ssl->last; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2386 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2387 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2388 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2389 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2390 #endif |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2391 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2392 |
| 489 | 2393 static ngx_int_t |
| 2394 ngx_ssl_handle_recv(ngx_connection_t *c, int n) | |
| 2395 { | |
| 547 | 2396 int sslerr; |
| 2397 ngx_err_t err; | |
| 489 | 2398 |
|
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2399 #ifndef SSL_OP_NO_RENEGOTIATION |
|
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2400 |
|
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2401 if (c->ssl->renegotiation) { |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2402 /* |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2403 * disable renegotiation (CVE-2009-3555): |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2404 * OpenSSL (at least up to 0.9.8l) does not handle disabled |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2405 * renegotiation gracefully, so drop connection here |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2406 */ |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2407 |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2408 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled"); |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2409 |
|
4236
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2410 while (ERR_peek_error()) { |
|
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2411 ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0, |
|
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2412 "ignoring stale global SSL error"); |
|
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2413 } |
|
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2414 |
|
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2415 ERR_clear_error(); |
|
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2416 |
|
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2417 c->ssl->no_wait_shutdown = 1; |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2418 c->ssl->no_send_shutdown = 1; |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2419 |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2420 return NGX_ERROR; |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2421 } |
|
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2422 |
|
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2423 #endif |
|
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2424 |
| 489 | 2425 if (n > 0) { |
| 479 | 2426 |
| 473 | 2427 if (c->ssl->saved_write_handler) { |
| 2428 | |
| 509 | 2429 c->write->handler = c->ssl->saved_write_handler; |
| 473 | 2430 c->ssl->saved_write_handler = NULL; |
| 2431 c->write->ready = 1; | |
| 2432 | |
|
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2433 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
| 473 | 2434 return NGX_ERROR; |
| 2435 } | |
| 2436 | |
| 563 | 2437 ngx_post_event(c->write, &ngx_posted_events); |
| 473 | 2438 } |
| 2439 | |
| 489 | 2440 return NGX_OK; |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2441 } |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2442 |
| 543 | 2443 sslerr = SSL_get_error(c->ssl->connection, n); |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2444 |
|
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2445 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2446 |
|
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2447 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2448 |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2449 if (sslerr == SSL_ERROR_WANT_READ) { |
|
7353
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2450 |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2451 if (c->ssl->saved_write_handler) { |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2452 |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2453 c->write->handler = c->ssl->saved_write_handler; |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2454 c->ssl->saved_write_handler = NULL; |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2455 c->write->ready = 1; |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2456 |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2457 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2458 return NGX_ERROR; |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2459 } |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2460 |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2461 ngx_post_event(c->write, &ngx_posted_events); |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2462 } |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2463 |
| 455 | 2464 c->read->ready = 0; |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2465 return NGX_AGAIN; |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2466 } |
|
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2467 |
|
445
f26432a1935a
nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents:
444
diff
changeset
|
2468 if (sslerr == SSL_ERROR_WANT_WRITE) { |
| 539 | 2469 |
|
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2470 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2471 "SSL_read: want write"); |
| 473 | 2472 |
| 2473 c->write->ready = 0; | |
| 2474 | |
|
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2475 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
| 473 | 2476 return NGX_ERROR; |
| 2477 } | |
| 2478 | |
| 2479 /* | |
| 2480 * we do not set the timer because there is already the read event timer | |
| 2481 */ | |
| 2482 | |
| 2483 if (c->ssl->saved_write_handler == NULL) { | |
| 509 | 2484 c->ssl->saved_write_handler = c->write->handler; |
| 2485 c->write->handler = ngx_ssl_write_handler; | |
| 473 | 2486 } |
| 2487 | |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2488 return NGX_AGAIN; |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2489 } |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2490 |
| 547 | 2491 c->ssl->no_wait_shutdown = 1; |
| 2492 c->ssl->no_send_shutdown = 1; | |
|
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2493 |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2494 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { |
| 577 | 2495 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
| 2496 "peer shutdown SSL cleanly"); | |
| 2497 return NGX_DONE; | |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2498 } |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2499 |
| 547 | 2500 ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed"); |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2501 |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2502 return NGX_ERROR; |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2503 } |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2504 |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2505 |
| 489 | 2506 static void |
| 2507 ngx_ssl_write_handler(ngx_event_t *wev) | |
| 473 | 2508 { |
| 2509 ngx_connection_t *c; | |
| 2510 | |
| 2511 c = wev->data; | |
| 547 | 2512 |
|
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2513 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL write handler"); |
|
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2514 |
| 509 | 2515 c->read->handler(c->read); |
| 473 | 2516 } |
| 2517 | |
| 2518 | |
|
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2519 /* |
|
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2520 * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer |
| 473 | 2521 * before the SSL_write() call to decrease a SSL overhead. |
|
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2522 * |
|
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2523 * Besides for protocols such as HTTP it is possible to always buffer |
|
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2524 * the output to decrease a SSL overhead some more. |
|
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2525 */ |
|
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2526 |
| 489 | 2527 ngx_chain_t * |
| 2528 ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) | |
|
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2529 { |
|
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2530 int n; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2531 ngx_uint_t flush; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2532 ssize_t send, size, file_size; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2533 ngx_buf_t *buf; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2534 ngx_chain_t *cl; |
|
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2535 |
|
2280
6453161bf53e
always use buffer, if connection is buffered,
Igor Sysoev <igor@sysoev.ru>
parents:
2165
diff
changeset
|
2536 if (!c->ssl->buffer) { |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2537 |
| 577 | 2538 while (in) { |
| 2539 if (ngx_buf_special(in->buf)) { | |
| 2540 in = in->next; | |
| 2541 continue; | |
| 2542 } | |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2543 |
| 577 | 2544 n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos); |
| 2545 | |
| 2546 if (n == NGX_ERROR) { | |
| 2547 return NGX_CHAIN_ERROR; | |
| 2548 } | |
|
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2549 |
| 577 | 2550 if (n == NGX_AGAIN) { |
| 2551 return in; | |
| 2552 } | |
| 2553 | |
| 2554 in->buf->pos += n; | |
| 2555 | |
| 2556 if (in->buf->pos == in->buf->last) { | |
| 2557 in = in->next; | |
| 2558 } | |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2559 } |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2560 |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2561 return in; |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2562 } |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2563 |
| 473 | 2564 |
|
3962
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2565 /* the maximum limit size is the maximum int32_t value - the page size */ |
|
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2566 |
|
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2567 if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) { |
|
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2568 limit = NGX_MAX_INT32_VALUE - ngx_pagesize; |
| 473 | 2569 } |
| 2570 | |
| 577 | 2571 buf = c->ssl->buf; |
|
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2572 |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2573 if (buf == NULL) { |
|
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
2574 buf = ngx_create_temp_buf(c->pool, c->ssl->buffer_size); |
|
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2575 if (buf == NULL) { |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2576 return NGX_CHAIN_ERROR; |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2577 } |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2578 |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2579 c->ssl->buf = buf; |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2580 } |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2581 |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2582 if (buf->start == NULL) { |
|
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
2583 buf->start = ngx_palloc(c->pool, c->ssl->buffer_size); |
|
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2584 if (buf->start == NULL) { |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2585 return NGX_CHAIN_ERROR; |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2586 } |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2587 |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2588 buf->pos = buf->start; |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2589 buf->last = buf->start; |
|
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
2590 buf->end = buf->start + c->ssl->buffer_size; |
|
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2591 } |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2592 |
|
5023
70a35b7b63ea
SSL: take into account data in the buffer while limiting output.
Valentin Bartenev <vbart@nginx.com>
parents:
5022
diff
changeset
|
2593 send = buf->last - buf->pos; |
|
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2594 flush = (in == NULL) ? 1 : buf->flush; |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2595 |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2596 for ( ;; ) { |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2597 |
|
3283
52b1624b93c2
fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents:
3159
diff
changeset
|
2598 while (in && buf->last < buf->end && send < limit) { |
| 583 | 2599 if (in->buf->last_buf || in->buf->flush) { |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2600 flush = 1; |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2601 } |
|
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2602 |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2603 if (ngx_buf_special(in->buf)) { |
|
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2604 in = in->next; |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2605 continue; |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2606 } |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2607 |
|
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2608 if (in->buf->in_file && c->ssl->sendfile) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2609 flush = 1; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2610 break; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2611 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2612 |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2613 size = in->buf->last - in->buf->pos; |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2614 |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2615 if (size > buf->end - buf->last) { |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2616 size = buf->end - buf->last; |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2617 } |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2618 |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2619 if (send + size > limit) { |
| 577 | 2620 size = (ssize_t) (limit - send); |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2621 } |
|
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2622 |
|
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2623 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
| 6480 | 2624 "SSL buf copy: %z", size); |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2625 |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2626 ngx_memcpy(buf->last, in->buf->pos, size); |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2627 |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2628 buf->last += size; |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2629 in->buf->pos += size; |
|
3283
52b1624b93c2
fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents:
3159
diff
changeset
|
2630 send += size; |
| 577 | 2631 |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2632 if (in->buf->pos == in->buf->last) { |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2633 in = in->next; |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2634 } |
|
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2635 } |
|
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2636 |
|
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2637 if (!flush && send < limit && buf->last < buf->end) { |
|
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2638 break; |
|
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2639 } |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2640 |
|
5021
674f8739e443
SSL: calculation of buffer size moved closer to its usage.
Valentin Bartenev <vbart@nginx.com>
parents:
5020
diff
changeset
|
2641 size = buf->last - buf->pos; |
|
674f8739e443
SSL: calculation of buffer size moved closer to its usage.
Valentin Bartenev <vbart@nginx.com>
parents:
5020
diff
changeset
|
2642 |
|
5022
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2643 if (size == 0) { |
|
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2644 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2645 if (in && in->buf->in_file && send < limit) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2646 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2647 /* coalesce the neighbouring file bufs */ |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2648 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2649 cl = in; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2650 file_size = (size_t) ngx_chain_coalesce_file(&cl, limit - send); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2651 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2652 n = ngx_ssl_sendfile(c, in->buf, file_size); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2653 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2654 if (n == NGX_ERROR) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2655 return NGX_CHAIN_ERROR; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2656 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2657 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2658 if (n == NGX_AGAIN) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2659 break; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2660 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2661 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2662 in = ngx_chain_update_sent(in, n); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2663 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2664 send += n; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2665 flush = 0; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2666 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2667 continue; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2668 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2669 |
|
5022
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2670 buf->flush = 0; |
|
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2671 c->buffered &= ~NGX_SSL_BUFFERED; |
|
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2672 |
|
5022
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2673 return in; |
|
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2674 } |
|
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2675 |
|
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2676 n = ngx_ssl_write(c, buf->pos, size); |
|
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2677 |
|
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2678 if (n == NGX_ERROR) { |
|
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2679 return NGX_CHAIN_ERROR; |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2680 } |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2681 |
| 511 | 2682 if (n == NGX_AGAIN) { |
|
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2683 break; |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2684 } |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2685 |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2686 buf->pos += n; |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2687 |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2688 if (n < size) { |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2689 break; |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2690 } |
|
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2691 |
|
5019
69693a098655
SSL: resetting of flush flag after the data was written.
Valentin Bartenev <vbart@nginx.com>
parents:
5018
diff
changeset
|
2692 flush = 0; |
|
69693a098655
SSL: resetting of flush flag after the data was written.
Valentin Bartenev <vbart@nginx.com>
parents:
5018
diff
changeset
|
2693 |
|
5018
0ea36741bb35
SSL: removed conditions that always hold true.
Valentin Bartenev <vbart@nginx.com>
parents:
5003
diff
changeset
|
2694 buf->pos = buf->start; |
|
0ea36741bb35
SSL: removed conditions that always hold true.
Valentin Bartenev <vbart@nginx.com>
parents:
5003
diff
changeset
|
2695 buf->last = buf->start; |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2696 |
|
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2697 if (in == NULL || send >= limit) { |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2698 break; |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2699 } |
|
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2700 } |
|
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2701 |
|
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2702 buf->flush = flush; |
|
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2703 |
| 597 | 2704 if (buf->pos < buf->last) { |
| 2705 c->buffered |= NGX_SSL_BUFFERED; | |
| 2706 | |
| 2707 } else { | |
| 2708 c->buffered &= ~NGX_SSL_BUFFERED; | |
| 2709 } | |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2710 |
|
399
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
398
diff
changeset
|
2711 return in; |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2712 } |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2713 |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2714 |
| 539 | 2715 ssize_t |
| 489 | 2716 ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2717 { |
| 547 | 2718 int n, sslerr; |
| 2719 ngx_err_t err; | |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2720 |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2721 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2722 if (c->ssl->in_early) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2723 return ngx_ssl_write_early(c, data, size); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2724 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2725 #endif |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2726 |
|
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2727 ngx_ssl_clear_error(c->log); |
|
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2728 |
| 6480 | 2729 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size); |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2730 |
| 543 | 2731 n = SSL_write(c->ssl->connection, data, size); |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2732 |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2733 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n); |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2734 |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2735 if (n > 0) { |
| 539 | 2736 |
| 473 | 2737 if (c->ssl->saved_read_handler) { |
| 2738 | |
| 509 | 2739 c->read->handler = c->ssl->saved_read_handler; |
| 473 | 2740 c->ssl->saved_read_handler = NULL; |
| 2741 c->read->ready = 1; | |
| 2742 | |
|
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2743 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
| 473 | 2744 return NGX_ERROR; |
| 2745 } | |
| 2746 | |
| 563 | 2747 ngx_post_event(c->read, &ngx_posted_events); |
| 473 | 2748 } |
| 2749 | |
|
5986
c2f309fb7ad2
SSL: account sent bytes in ngx_ssl_write().
Ruslan Ermilov <ru@nginx.com>
parents:
5946
diff
changeset
|
2750 c->sent += n; |
|
c2f309fb7ad2
SSL: account sent bytes in ngx_ssl_write().
Ruslan Ermilov <ru@nginx.com>
parents:
5946
diff
changeset
|
2751 |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2752 return n; |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2753 } |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2754 |
| 543 | 2755 sslerr = SSL_get_error(c->ssl->connection, n); |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2756 |
|
7706
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2757 if (sslerr == SSL_ERROR_ZERO_RETURN) { |
|
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2758 |
|
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2759 /* |
|
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2760 * OpenSSL 1.1.1 fails to return SSL_ERROR_SYSCALL if an error |
|
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2761 * happens during SSL_write() after close_notify alert from the |
|
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2762 * peer, and returns SSL_ERROR_ZERO_RETURN instead, |
|
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2763 * https://git.openssl.org/?p=openssl.git;a=commitdiff;h=8051ab2 |
|
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2764 */ |
|
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2765 |
|
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2766 sslerr = SSL_ERROR_SYSCALL; |
|
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2767 } |
|
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7694
diff
changeset
|
2768 |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2769 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2770 |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2771 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2772 |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2773 if (sslerr == SSL_ERROR_WANT_WRITE) { |
|
7353
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2774 |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2775 if (c->ssl->saved_read_handler) { |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2776 |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2777 c->read->handler = c->ssl->saved_read_handler; |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2778 c->ssl->saved_read_handler = NULL; |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2779 c->read->ready = 1; |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2780 |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2781 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2782 return NGX_ERROR; |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2783 } |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2784 |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2785 ngx_post_event(c->read, &ngx_posted_events); |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2786 } |
|
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2787 |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2788 c->write->ready = 0; |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2789 return NGX_AGAIN; |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2790 } |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2791 |
|
445
f26432a1935a
nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents:
444
diff
changeset
|
2792 if (sslerr == SSL_ERROR_WANT_READ) { |
| 452 | 2793 |
|
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2794 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2795 "SSL_write: want read"); |
| 473 | 2796 |
| 2797 c->read->ready = 0; | |
| 2798 | |
|
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2799 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
| 473 | 2800 return NGX_ERROR; |
| 2801 } | |
| 2802 | |
| 2803 /* | |
| 2804 * we do not set the timer because there is already | |
| 2805 * the write event timer | |
| 2806 */ | |
| 2807 | |
| 2808 if (c->ssl->saved_read_handler == NULL) { | |
| 509 | 2809 c->ssl->saved_read_handler = c->read->handler; |
| 2810 c->read->handler = ngx_ssl_read_handler; | |
| 473 | 2811 } |
| 2812 | |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2813 return NGX_AGAIN; |
|
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2814 } |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2815 |
| 547 | 2816 c->ssl->no_wait_shutdown = 1; |
| 2817 c->ssl->no_send_shutdown = 1; | |
| 591 | 2818 c->write->error = 1; |
| 543 | 2819 |
| 547 | 2820 ngx_ssl_connection_error(c, sslerr, err, "SSL_write() failed"); |
|
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2821 |
|
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2822 return NGX_ERROR; |
|
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2823 } |
|
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2824 |
|
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2825 |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2826 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2827 |
|
7940
46a02ed7c966
Style: added missing "static" specifiers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7936
diff
changeset
|
2828 static ssize_t |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2829 ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size) |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2830 { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2831 int n, sslerr; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2832 size_t written; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2833 ngx_err_t err; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2834 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2835 ngx_ssl_clear_error(c->log); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2836 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2837 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2838 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2839 written = 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2840 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2841 n = SSL_write_early_data(c->ssl->connection, data, size, &written); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2842 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2843 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2844 "SSL_write_early_data: %d, %uz", n, written); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2845 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2846 if (n > 0) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2847 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2848 if (c->ssl->saved_read_handler) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2849 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2850 c->read->handler = c->ssl->saved_read_handler; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2851 c->ssl->saved_read_handler = NULL; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2852 c->read->ready = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2853 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2854 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2855 return NGX_ERROR; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2856 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2857 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2858 ngx_post_event(c->read, &ngx_posted_events); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2859 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2860 |
|
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2861 if (c->ssl->write_blocked) { |
|
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2862 c->ssl->write_blocked = 0; |
|
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2863 ngx_post_event(c->read, &ngx_posted_events); |
|
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2864 } |
|
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2865 |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2866 c->sent += written; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2867 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2868 return written; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2869 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2870 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2871 sslerr = SSL_get_error(c->ssl->connection, n); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2872 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2873 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2874 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2875 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2876 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2877 if (sslerr == SSL_ERROR_WANT_WRITE) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2878 |
|
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2879 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2880 "SSL_write_early_data: want write"); |
|
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2881 |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2882 if (c->ssl->saved_read_handler) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2883 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2884 c->read->handler = c->ssl->saved_read_handler; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2885 c->ssl->saved_read_handler = NULL; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2886 c->read->ready = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2887 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2888 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2889 return NGX_ERROR; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2890 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2891 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2892 ngx_post_event(c->read, &ngx_posted_events); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2893 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2894 |
|
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2895 /* |
|
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2896 * OpenSSL 1.1.1a fails to handle SSL_read_early_data() |
|
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2897 * if an SSL_write_early_data() call blocked on writing, |
|
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2898 * see https://github.com/openssl/openssl/issues/7757 |
|
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2899 */ |
|
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2900 |
|
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2901 c->ssl->write_blocked = 1; |
|
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2902 |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2903 c->write->ready = 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2904 return NGX_AGAIN; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2905 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2906 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2907 if (sslerr == SSL_ERROR_WANT_READ) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2908 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2909 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2910 "SSL_write_early_data: want read"); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2911 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2912 c->read->ready = 0; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2913 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2914 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2915 return NGX_ERROR; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2916 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2917 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2918 /* |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2919 * we do not set the timer because there is already |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2920 * the write event timer |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2921 */ |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2922 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2923 if (c->ssl->saved_read_handler == NULL) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2924 c->ssl->saved_read_handler = c->read->handler; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2925 c->read->handler = ngx_ssl_read_handler; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2926 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2927 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2928 return NGX_AGAIN; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2929 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2930 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2931 c->ssl->no_wait_shutdown = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2932 c->ssl->no_send_shutdown = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2933 c->write->error = 1; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2934 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2935 ngx_ssl_connection_error(c, sslerr, err, "SSL_write_early_data() failed"); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2936 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2937 return NGX_ERROR; |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2938 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2939 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2940 #endif |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2941 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2942 |
|
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2943 static ssize_t |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2944 ngx_ssl_sendfile(ngx_connection_t *c, ngx_buf_t *file, size_t size) |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2945 { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2946 #ifdef BIO_get_ktls_send |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2947 |
|
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2948 int sslerr, flags; |
|
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2949 ssize_t n; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2950 ngx_err_t err; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2951 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2952 ngx_ssl_clear_error(c->log); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2953 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2954 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2955 "SSL to sendfile: @%O %uz", |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2956 file->file_pos, size); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2957 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2958 ngx_set_errno(0); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2959 |
|
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2960 #if (NGX_HAVE_SENDFILE_NODISKIO) |
|
7987
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
2961 |
|
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2962 flags = (c->busy_count <= 2) ? SF_NODISKIO : 0; |
|
7987
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
2963 |
|
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
2964 if (file->file->directio) { |
|
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
2965 flags |= SF_NOCACHE; |
|
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
2966 } |
|
b002ad258f1d
Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7986
diff
changeset
|
2967 |
|
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2968 #else |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2969 flags = 0; |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2970 #endif |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2971 |
|
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2972 n = SSL_sendfile(c->ssl->connection, file->file->fd, file->file_pos, |
|
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2973 size, flags); |
|
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2974 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2975 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_sendfile: %d", n); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2976 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2977 if (n > 0) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2978 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2979 if (c->ssl->saved_read_handler) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2980 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2981 c->read->handler = c->ssl->saved_read_handler; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2982 c->ssl->saved_read_handler = NULL; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2983 c->read->ready = 1; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2984 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2985 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2986 return NGX_ERROR; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2987 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2988 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2989 ngx_post_event(c->read, &ngx_posted_events); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2990 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2991 |
|
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2992 #if (NGX_HAVE_SENDFILE_NODISKIO) |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2993 c->busy_count = 0; |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2994 #endif |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
2995 |
|
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2996 c->sent += n; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2997 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2998 return n; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
2999 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3000 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3001 if (n == 0) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3002 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3003 /* |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3004 * if sendfile returns zero, then someone has truncated the file, |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3005 * so the offset became beyond the end of the file |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3006 */ |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3007 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3008 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3009 "SSL_sendfile() reported that \"%s\" was truncated at %O", |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3010 file->file->name.data, file->file_pos); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3011 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3012 return NGX_ERROR; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3013 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3014 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3015 sslerr = SSL_get_error(c->ssl->connection, n); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3016 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3017 if (sslerr == SSL_ERROR_ZERO_RETURN) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3018 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3019 /* |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3020 * OpenSSL fails to return SSL_ERROR_SYSCALL if an error |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3021 * happens during writing after close_notify alert from the |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3022 * peer, and returns SSL_ERROR_ZERO_RETURN instead |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3023 */ |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3024 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3025 sslerr = SSL_ERROR_SYSCALL; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3026 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3027 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3028 if (sslerr == SSL_ERROR_SSL |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3029 && ERR_GET_REASON(ERR_peek_error()) == SSL_R_UNINITIALIZED |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3030 && ngx_errno != 0) |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3031 { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3032 /* |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3033 * OpenSSL fails to return SSL_ERROR_SYSCALL if an error |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3034 * happens in sendfile(), and returns SSL_ERROR_SSL with |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3035 * SSL_R_UNINITIALIZED reason instead |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3036 */ |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3037 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3038 sslerr = SSL_ERROR_SYSCALL; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3039 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3040 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3041 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3042 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3043 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3044 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3045 if (sslerr == SSL_ERROR_WANT_WRITE) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3046 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3047 if (c->ssl->saved_read_handler) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3048 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3049 c->read->handler = c->ssl->saved_read_handler; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3050 c->ssl->saved_read_handler = NULL; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3051 c->read->ready = 1; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3052 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3053 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3054 return NGX_ERROR; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3055 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3056 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3057 ngx_post_event(c->read, &ngx_posted_events); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3058 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3059 |
|
7986
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3060 #if (NGX_HAVE_SENDFILE_NODISKIO) |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3061 |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3062 if (ngx_errno == EBUSY) { |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3063 c->busy_count++; |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3064 |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3065 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3066 "SSL_sendfile() busy, count:%d", c->busy_count); |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3067 |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3068 if (c->write->posted) { |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3069 ngx_delete_posted_event(c->write); |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3070 } |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3071 |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3072 ngx_post_event(c->write, &ngx_posted_next_events); |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3073 } |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3074 |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3075 #endif |
|
f1fcb0fe6975
SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7973
diff
changeset
|
3076 |
|
7941
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3077 c->write->ready = 0; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3078 return NGX_AGAIN; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3079 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3080 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3081 if (sslerr == SSL_ERROR_WANT_READ) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3082 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3083 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3084 "SSL_sendfile: want read"); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3085 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3086 c->read->ready = 0; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3087 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3088 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3089 return NGX_ERROR; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3090 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3091 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3092 /* |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3093 * we do not set the timer because there is already |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3094 * the write event timer |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3095 */ |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3096 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3097 if (c->ssl->saved_read_handler == NULL) { |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3098 c->ssl->saved_read_handler = c->read->handler; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3099 c->read->handler = ngx_ssl_read_handler; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3100 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3101 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3102 return NGX_AGAIN; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3103 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3104 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3105 c->ssl->no_wait_shutdown = 1; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3106 c->ssl->no_send_shutdown = 1; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3107 c->write->error = 1; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3108 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3109 ngx_ssl_connection_error(c, sslerr, err, "SSL_sendfile() failed"); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3110 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3111 #else |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3112 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3113 "SSL_sendfile() not available"); |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3114 #endif |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3115 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3116 return NGX_ERROR; |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3117 } |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3118 |
|
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7940
diff
changeset
|
3119 |
| 489 | 3120 static void |
| 3121 ngx_ssl_read_handler(ngx_event_t *rev) | |
| 473 | 3122 { |
| 3123 ngx_connection_t *c; | |
| 3124 | |
| 3125 c = rev->data; | |
| 547 | 3126 |
|
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
3127 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL read handler"); |
|
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
3128 |
| 509 | 3129 c->write->handler(c->write); |
| 473 | 3130 } |
| 3131 | |
| 3132 | |
|
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3133 void |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3134 ngx_ssl_free_buffer(ngx_connection_t *c) |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3135 { |
|
1795
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
3136 if (c->ssl->buf && c->ssl->buf->start) { |
|
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
3137 if (ngx_pfree(c->pool, c->ssl->buf->start) == NGX_OK) { |
|
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
3138 c->ssl->buf->start = NULL; |
|
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
3139 } |
|
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3140 } |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3141 } |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3142 |
|
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3143 |
| 489 | 3144 ngx_int_t |
| 3145 ngx_ssl_shutdown(ngx_connection_t *c) | |
|
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3146 { |
|
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3147 int n, sslerr, mode; |
|
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3148 ngx_int_t rc; |
|
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3149 ngx_err_t err; |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3150 ngx_uint_t tries; |
|
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3151 |
|
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3152 rc = NGX_OK; |
|
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3153 |
|
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
3154 ngx_ssl_ocsp_cleanup(c); |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
3155 |
|
6407
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3156 if (SSL_in_init(c->ssl->connection)) { |
|
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3157 /* |
|
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3158 * OpenSSL 1.0.2f complains if SSL_shutdown() is called during |
|
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3159 * an SSL handshake, while previous versions always return 0. |
|
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3160 * Avoid calling SSL_shutdown() if handshake wasn't completed. |
|
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3161 */ |
|
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3162 |
|
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3163 goto done; |
|
6407
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3164 } |
|
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3165 |
|
7709
052ecc68d350
SSL: disabled shutdown when there are buffered data.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7708
diff
changeset
|
3166 if (c->timedout || c->error || c->buffered) { |
| 547 | 3167 mode = SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN; |
|
4064
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3168 SSL_set_quiet_shutdown(c->ssl->connection, 1); |
|
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3169 |
| 547 | 3170 } else { |
| 3171 mode = SSL_get_shutdown(c->ssl->connection); | |
| 473 | 3172 |
| 547 | 3173 if (c->ssl->no_wait_shutdown) { |
| 3174 mode |= SSL_RECEIVED_SHUTDOWN; | |
|
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3175 } |
|
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3176 |
| 547 | 3177 if (c->ssl->no_send_shutdown) { |
| 3178 mode |= SSL_SENT_SHUTDOWN; | |
|
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3179 } |
|
4064
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3180 |
|
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3181 if (c->ssl->no_wait_shutdown && c->ssl->no_send_shutdown) { |
|
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3182 SSL_set_quiet_shutdown(c->ssl->connection, 1); |
|
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3183 } |
|
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3184 } |
|
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3185 |
| 547 | 3186 SSL_set_shutdown(c->ssl->connection, mode); |
| 3187 | |
|
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3188 ngx_ssl_clear_error(c->log); |
|
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3189 |
|
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3190 tries = 2; |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3191 |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3192 for ( ;; ) { |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3193 |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3194 /* |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3195 * For bidirectional shutdown, SSL_shutdown() needs to be called |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3196 * twice: first call sends the "close notify" alert and returns 0, |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3197 * second call waits for the peer's "close notify" alert. |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3198 */ |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3199 |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3200 n = SSL_shutdown(c->ssl->connection); |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3201 |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3202 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3203 |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3204 if (n == 1) { |
|
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3205 goto done; |
|
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3206 } |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3207 |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3208 if (n == 0 && tries-- > 1) { |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3209 continue; |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3210 } |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3211 |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3212 /* before 0.9.8m SSL_shutdown() returned 0 instead of -1 on errors */ |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3213 |
| 543 | 3214 sslerr = SSL_get_error(c->ssl->connection, n); |
|
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3215 |
|
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3216 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3217 "SSL_get_error: %d", sslerr); |
|
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3218 |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3219 if (sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE) { |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3220 c->read->handler = ngx_ssl_shutdown_handler; |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3221 c->write->handler = ngx_ssl_shutdown_handler; |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3222 |
|
7707
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3223 if (sslerr == SSL_ERROR_WANT_READ) { |
|
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3224 c->read->ready = 0; |
|
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3225 |
|
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3226 } else { |
|
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3227 c->write->ready = 0; |
|
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3228 } |
|
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7706
diff
changeset
|
3229 |
|
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3230 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
|
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3231 goto failed; |
|
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3232 } |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3233 |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3234 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
|
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3235 goto failed; |
|
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3236 } |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3237 |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3238 ngx_add_timer(c->read, 3000); |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3239 |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3240 return NGX_AGAIN; |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3241 } |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3242 |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3243 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { |
|
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3244 goto done; |
|
7694
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3245 } |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3246 |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3247 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3248 |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3249 ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed"); |
|
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7672
diff
changeset
|
3250 |
|
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3251 break; |
|
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3252 } |
|
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3253 |
|
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3254 failed: |
|
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3255 |
|
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3256 rc = NGX_ERROR; |
|
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3257 |
|
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3258 done: |
|
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3259 |
|
7871
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3260 if (c->ssl->shutdown_without_free) { |
|
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3261 c->ssl->shutdown_without_free = 0; |
|
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3262 c->recv = ngx_recv; |
|
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3263 return rc; |
|
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3264 } |
|
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7870
diff
changeset
|
3265 |
|
7870
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3266 SSL_free(c->ssl->connection); |
|
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3267 c->ssl = NULL; |
|
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3268 c->recv = ngx_recv; |
|
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3269 |
|
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7781
diff
changeset
|
3270 return rc; |
|
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3271 } |
|
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3272 |
|
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3273 |
| 547 | 3274 static void |
| 577 | 3275 ngx_ssl_shutdown_handler(ngx_event_t *ev) |
| 3276 { | |
| 3277 ngx_connection_t *c; | |
| 3278 ngx_connection_handler_pt handler; | |
| 3279 | |
| 3280 c = ev->data; | |
| 3281 handler = c->ssl->handler; | |
| 3282 | |
| 3283 if (ev->timedout) { | |
| 3284 c->timedout = 1; | |
| 3285 } | |
| 3286 | |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3287 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler"); |
| 577 | 3288 |
| 3289 if (ngx_ssl_shutdown(c) == NGX_AGAIN) { | |
| 3290 return; | |
| 3291 } | |
| 3292 | |
| 3293 handler(c); | |
| 3294 } | |
| 3295 | |
| 3296 | |
| 3297 static void | |
| 547 | 3298 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, |
| 3299 char *text) | |
| 3300 { | |
|
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3301 int n; |
| 547 | 3302 ngx_uint_t level; |
| 3303 | |
| 3304 level = NGX_LOG_CRIT; | |
| 3305 | |
| 3306 if (sslerr == SSL_ERROR_SYSCALL) { | |
| 3307 | |
| 3308 if (err == NGX_ECONNRESET | |
|
7560
2432a687e789
SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7509
diff
changeset
|
3309 #if (NGX_WIN32) |
|
2432a687e789
SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7509
diff
changeset
|
3310 || err == NGX_ECONNABORTED |
|
2432a687e789
SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7509
diff
changeset
|
3311 #endif |
| 547 | 3312 || err == NGX_EPIPE |
| 3313 || err == NGX_ENOTCONN | |
| 589 | 3314 || err == NGX_ETIMEDOUT |
| 547 | 3315 || err == NGX_ECONNREFUSED |
|
1869
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
3316 || err == NGX_ENETDOWN |
|
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
3317 || err == NGX_ENETUNREACH |
|
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
3318 || err == NGX_EHOSTDOWN |
| 547 | 3319 || err == NGX_EHOSTUNREACH) |
| 3320 { | |
| 3321 switch (c->log_error) { | |
| 3322 | |
| 3323 case NGX_ERROR_IGNORE_ECONNRESET: | |
| 3324 case NGX_ERROR_INFO: | |
| 3325 level = NGX_LOG_INFO; | |
| 3326 break; | |
| 3327 | |
| 3328 case NGX_ERROR_ERR: | |
| 3329 level = NGX_LOG_ERR; | |
| 3330 break; | |
| 3331 | |
| 3332 default: | |
| 3333 break; | |
| 3334 } | |
| 3335 } | |
|
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3336 |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3337 } else if (sslerr == SSL_ERROR_SSL) { |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3338 |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3339 n = ERR_GET_REASON(ERR_peek_error()); |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3340 |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3341 /* handshake failures */ |
|
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3342 if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */ |
|
7360
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3343 #ifdef SSL_R_NO_SUITABLE_KEY_SHARE |
|
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3344 || n == SSL_R_NO_SUITABLE_KEY_SHARE /* 101 */ |
|
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3345 #endif |
|
7361
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3346 #ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM |
|
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3347 || n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM /* 118 */ |
|
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3348 #endif |
|
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3349 || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ |
|
3718
bfd84b583868
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3516
diff
changeset
|
3350 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ |
|
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3351 || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ |
|
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3352 || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ |
|
7311
778358452a81
SSL: logging level of "https proxy request" errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7291
diff
changeset
|
3353 || n == SSL_R_HTTPS_PROXY_REQUEST /* 155 */ |
|
778358452a81
SSL: logging level of "https proxy request" errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7291
diff
changeset
|
3354 || n == SSL_R_HTTP_REQUEST /* 156 */ |
|
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
3355 || n == SSL_R_LENGTH_MISMATCH /* 159 */ |
|
6652
1891b2892b68
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6591
diff
changeset
|
3356 #ifdef SSL_R_NO_CIPHERS_PASSED |
|
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3357 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ |
|
6652
1891b2892b68
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6591
diff
changeset
|
3358 #endif |
|
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
3359 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ |
|
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3360 || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ |
|
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3361 || n == SSL_R_NO_SHARED_CIPHER /* 193 */ |
|
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
3362 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ |
|
7472
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3363 #ifdef SSL_R_CLIENTHELLO_TLSEXT |
|
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3364 || n == SSL_R_CLIENTHELLO_TLSEXT /* 226 */ |
|
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3365 #endif |
|
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3366 #ifdef SSL_R_PARSE_TLSEXT |
|
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3367 || n == SSL_R_PARSE_TLSEXT /* 227 */ |
|
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3368 #endif |
|
7472
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3369 #ifdef SSL_R_CALLBACK_FAILED |
|
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3370 || n == SSL_R_CALLBACK_FAILED /* 234 */ |
|
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3371 #endif |
|
7936
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
3372 #ifdef SSL_R_NO_APPLICATION_PROTOCOL |
|
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
3373 || n == SSL_R_NO_APPLICATION_PROTOCOL /* 235 */ |
|
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7935
diff
changeset
|
3374 #endif |
|
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3375 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3376 || n == SSL_R_UNEXPECTED_RECORD /* 245 */ |
|
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
3377 || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */ |
|
3357
fc735aa50b8b
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3300
diff
changeset
|
3378 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ |
|
7361
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3379 #ifdef SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS |
|
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3380 || n == SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS /* 253 */ |
|
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3381 #endif |
|
7317
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
3382 || n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */ |
|
7360
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3383 #ifdef SSL_R_NO_SHARED_GROUP |
|
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3384 || n == SSL_R_NO_SHARED_GROUP /* 266 */ |
|
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3385 #endif |
|
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3386 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3387 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ |
|
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3388 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG |
|
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3389 || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG /* 335 */ |
|
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3390 || n == SSL_R_RENEGOTIATION_ENCODING_ERR /* 336 */ |
|
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3391 || n == SSL_R_RENEGOTIATION_MISMATCH /* 337 */ |
|
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3392 #endif |
|
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3393 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED |
|
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3394 || n == SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED /* 338 */ |
|
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3395 #endif |
|
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3396 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING |
|
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3397 || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */ |
|
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3398 #endif |
|
5902
b7a37f6a25ea
SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5892
diff
changeset
|
3399 #ifdef SSL_R_INAPPROPRIATE_FALLBACK |
|
b7a37f6a25ea
SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5892
diff
changeset
|
3400 || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */ |
|
b7a37f6a25ea
SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5892
diff
changeset
|
3401 #endif |
|
7461
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
3402 #ifdef SSL_R_CERT_CB_ERROR |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
3403 || n == SSL_R_CERT_CB_ERROR /* 377 */ |
|
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
3404 #endif |
|
7317
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
3405 #ifdef SSL_R_VERSION_TOO_LOW |
|
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
3406 || n == SSL_R_VERSION_TOO_LOW /* 396 */ |
|
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
3407 #endif |
|
1877
a55876dff8f5
low SSL handshake close notify alert error level
Igor Sysoev <igor@sysoev.ru>
parents:
1876
diff
changeset
|
3408 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ |
|
6486
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3409 #ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE |
|
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3410 || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3411 || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3412 || n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3413 || n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3414 || n == SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE /* 1030 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3415 || n == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE /* 1040 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3416 || n == SSL_R_SSLV3_ALERT_NO_CERTIFICATE /* 1041 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3417 || n == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE /* 1042 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3418 || n == SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE /* 1043 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3419 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED /* 1044 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3420 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED /* 1045 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3421 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN /* 1046 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3422 || n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER /* 1047 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3423 || n == SSL_R_TLSV1_ALERT_UNKNOWN_CA /* 1048 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3424 || n == SSL_R_TLSV1_ALERT_ACCESS_DENIED /* 1049 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3425 || n == SSL_R_TLSV1_ALERT_DECODE_ERROR /* 1050 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3426 || n == SSL_R_TLSV1_ALERT_DECRYPT_ERROR /* 1051 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3427 || n == SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION /* 1060 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3428 || n == SSL_R_TLSV1_ALERT_PROTOCOL_VERSION /* 1070 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3429 || n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3430 || n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */ |
|
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3431 || n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */ |
|
6486
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3432 || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION /* 1100 */ |
|
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3433 #endif |
|
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3434 ) |
|
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3435 { |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3436 switch (c->log_error) { |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3437 |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3438 case NGX_ERROR_IGNORE_ECONNRESET: |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3439 case NGX_ERROR_INFO: |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3440 level = NGX_LOG_INFO; |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3441 break; |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3442 |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3443 case NGX_ERROR_ERR: |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3444 level = NGX_LOG_ERR; |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3445 break; |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3446 |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3447 default: |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3448 break; |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3449 } |
|
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3450 } |
| 547 | 3451 } |
| 3452 | |
| 3453 ngx_ssl_error(level, c->log, err, text); | |
| 3454 } | |
| 3455 | |
| 3456 | |
|
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3457 static void |
|
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3458 ngx_ssl_clear_error(ngx_log_t *log) |
|
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3459 { |
| 1868 | 3460 while (ERR_peek_error()) { |
|
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3461 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error"); |
|
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3462 } |
| 1868 | 3463 |
| 3464 ERR_clear_error(); | |
|
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3465 } |
|
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3466 |
|
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3467 |
| 583 | 3468 void ngx_cdecl |
| 489 | 3469 ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...) |
| 577 | 3470 { |
|
4877
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3471 int flags; |
|
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3472 u_long n; |
|
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3473 va_list args; |
|
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3474 u_char *p, *last; |
|
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3475 u_char errstr[NGX_MAX_CONF_ERRSTR]; |
|
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3476 const char *data; |
| 461 | 3477 |
| 3478 last = errstr + NGX_MAX_CONF_ERRSTR; | |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3479 |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3480 va_start(args, fmt); |
|
2764
d4a717592877
use ngx_vslprintf(), ngx_slprintf()
Igor Sysoev <igor@sysoev.ru>
parents:
2720
diff
changeset
|
3481 p = ngx_vslprintf(errstr, last - 1, fmt, args); |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3482 va_end(args); |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3483 |
|
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3484 if (ERR_peek_error()) { |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3485 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3486 |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3487 for ( ;; ) { |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3488 |
|
7897
4195a6f0c61c
SSL: ERR_peek_error_line_data() compatibility with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7896
diff
changeset
|
3489 n = ERR_peek_error_data(&data, &flags); |
|
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3490 |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3491 if (n == 0) { |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3492 break; |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3493 } |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3494 |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3495 /* ERR_error_string_n() requires at least one byte */ |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3496 |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3497 if (p >= last - 1) { |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3498 goto next; |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3499 } |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3500 |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3501 *p++ = ' '; |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3502 |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3503 ERR_error_string_n(n, (char *) p, last - p); |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3504 |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3505 while (p < last && *p) { |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3506 p++; |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3507 } |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3508 |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3509 if (p < last && *data && (flags & ERR_TXT_STRING)) { |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3510 *p++ = ':'; |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3511 p = ngx_cpystrn(p, (u_char *) data, last - p); |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3512 } |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3513 |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3514 next: |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3515 |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3516 (void) ERR_get_error(); |
| 1861 | 3517 } |
| 3518 | |
|
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3519 if (p < last) { |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3520 *p++ = ')'; |
| 547 | 3521 } |
|
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3522 } |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3523 |
|
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3524 ngx_log_error(level, log, err, "%*s", p - errstr, errstr); |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3525 } |
| 509 | 3526 |
| 3527 | |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3528 ngx_int_t |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3529 ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
|
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3530 ngx_array_t *certificates, ssize_t builtin_session_cache, |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3531 ngx_shm_zone_t *shm_zone, time_t timeout) |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3532 { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3533 long cache_mode; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3534 |
|
5424
767aa37f12de
SSL: SSL_CTX_set_timeout() now always called.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5423
diff
changeset
|
3535 SSL_CTX_set_timeout(ssl->ctx, (long) timeout); |
|
767aa37f12de
SSL: SSL_CTX_set_timeout() now always called.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5423
diff
changeset
|
3536 |
|
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3537 if (ngx_ssl_session_id_context(ssl, sess_ctx, certificates) != NGX_OK) { |
|
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3538 return NGX_ERROR; |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3539 } |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3540 |
| 1778 | 3541 if (builtin_session_cache == NGX_SSL_NO_SCACHE) { |
| 3542 SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF); | |
| 3543 return NGX_OK; | |
| 3544 } | |
| 3545 | |
| 2032 | 3546 if (builtin_session_cache == NGX_SSL_NONE_SCACHE) { |
| 3547 | |
| 3548 /* | |
| 3549 * If the server explicitly says that it does not support | |
| 3550 * session reuse (see SSL_SESS_CACHE_OFF above), then | |
| 3551 * Outlook Express fails to upload a sent email to | |
| 3552 * the Sent Items folder on the IMAP server via a separate IMAP | |
| 6552 | 3553 * connection in the background. Therefore we have a special |
| 2032 | 3554 * mode (SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE) |
| 3555 * where the server pretends that it supports session reuse, | |
| 3556 * but it does not actually store any session. | |
| 3557 */ | |
| 3558 | |
| 3559 SSL_CTX_set_session_cache_mode(ssl->ctx, | |
| 3560 SSL_SESS_CACHE_SERVER | |
| 3561 |SSL_SESS_CACHE_NO_AUTO_CLEAR | |
| 3562 |SSL_SESS_CACHE_NO_INTERNAL_STORE); | |
| 3563 | |
| 3564 SSL_CTX_sess_set_cache_size(ssl->ctx, 1); | |
| 3565 | |
| 3566 return NGX_OK; | |
| 3567 } | |
| 3568 | |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3569 cache_mode = SSL_SESS_CACHE_SERVER; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3570 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3571 if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3572 cache_mode |= SSL_SESS_CACHE_NO_INTERNAL; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3573 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3574 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3575 SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3576 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3577 if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3578 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3579 if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3580 SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3581 } |
|
1015
32ebb6b13ff3
ssl_session_timeout was set only if builtin cache was used
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
3582 } |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3583 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3584 if (shm_zone) { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3585 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3586 SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3587 SSL_CTX_sess_set_remove_cb(ssl->ctx, ngx_ssl_remove_session); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3588 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3589 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_cache_index, shm_zone) |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3590 == 0) |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3591 { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3592 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3593 "SSL_CTX_set_ex_data() failed"); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3594 return NGX_ERROR; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3595 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3596 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3597 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3598 return NGX_OK; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3599 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3600 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3601 |
|
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3602 static ngx_int_t |
|
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3603 ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3604 ngx_array_t *certificates) |
|
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3605 { |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3606 int n, i; |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3607 X509 *cert; |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3608 X509_NAME *name; |
|
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3609 ngx_str_t *certs; |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3610 ngx_uint_t k; |
|
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3611 EVP_MD_CTX *md; |
|
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3612 unsigned int len; |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3613 STACK_OF(X509_NAME) *list; |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3614 u_char buf[EVP_MAX_MD_SIZE]; |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3615 |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3616 /* |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3617 * Session ID context is set based on the string provided, |
|
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3618 * the server certificates, and the client CA list. |
|
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3619 */ |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3620 |
|
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3621 md = EVP_MD_CTX_create(); |
|
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3622 if (md == NULL) { |
|
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3623 return NGX_ERROR; |
|
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3624 } |
|
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3625 |
|
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3626 if (EVP_DigestInit_ex(md, EVP_sha1(), NULL) == 0) { |
|
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3627 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3628 "EVP_DigestInit_ex() failed"); |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3629 goto failed; |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3630 } |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3631 |
|
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3632 if (EVP_DigestUpdate(md, sess_ctx->data, sess_ctx->len) == 0) { |
|
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3633 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3634 "EVP_DigestUpdate() failed"); |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3635 goto failed; |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3636 } |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3637 |
|
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3638 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3639 cert; |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3640 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3641 { |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3642 if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) { |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3643 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3644 "X509_digest() failed"); |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3645 goto failed; |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3646 } |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3647 |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3648 if (EVP_DigestUpdate(md, buf, len) == 0) { |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3649 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3650 "EVP_DigestUpdate() failed"); |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3651 goto failed; |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3652 } |
|
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3653 } |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3654 |
|
7732
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
3655 if (SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index) == NULL |
|
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
3656 && certificates != NULL) |
|
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7729
diff
changeset
|
3657 { |
|
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3658 /* |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3659 * If certificates are loaded dynamically, we use certificate |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3660 * names as specified in the configuration (with variables). |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3661 */ |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3662 |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3663 certs = certificates->elts; |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3664 for (k = 0; k < certificates->nelts; k++) { |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3665 |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3666 if (EVP_DigestUpdate(md, certs[k].data, certs[k].len) == 0) { |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3667 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3668 "EVP_DigestUpdate() failed"); |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3669 goto failed; |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3670 } |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3671 } |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3672 } |
|
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3673 |
|
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3674 list = SSL_CTX_get_client_CA_list(ssl->ctx); |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3675 |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3676 if (list != NULL) { |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3677 n = sk_X509_NAME_num(list); |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3678 |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3679 for (i = 0; i < n; i++) { |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3680 name = sk_X509_NAME_value(list, i); |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3681 |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3682 if (X509_NAME_digest(name, EVP_sha1(), buf, &len) == 0) { |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3683 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3684 "X509_NAME_digest() failed"); |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3685 goto failed; |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3686 } |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3687 |
|
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3688 if (EVP_DigestUpdate(md, buf, len) == 0) { |
|
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3689 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3690 "EVP_DigestUpdate() failed"); |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3691 goto failed; |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3692 } |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3693 } |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3694 } |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3695 |
|
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3696 if (EVP_DigestFinal_ex(md, buf, &len) == 0) { |
|
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3697 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
7455
992bf7540a98
SSL: fixed EVP_DigestFinal_ex() error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7454
diff
changeset
|
3698 "EVP_DigestFinal_ex() failed"); |
|
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3699 goto failed; |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3700 } |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3701 |
|
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3702 EVP_MD_CTX_destroy(md); |
|
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3703 |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3704 if (SSL_CTX_set_session_id_context(ssl->ctx, buf, len) == 0) { |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3705 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3706 "SSL_CTX_set_session_id_context() failed"); |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3707 return NGX_ERROR; |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3708 } |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3709 |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3710 return NGX_OK; |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3711 |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3712 failed: |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3713 |
|
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3714 EVP_MD_CTX_destroy(md); |
|
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3715 |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3716 return NGX_ERROR; |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3717 } |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3718 |
|
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3719 |
|
3992
a1dd9dc754ab
A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents:
3962
diff
changeset
|
3720 ngx_int_t |
|
993
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3721 ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data) |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3722 { |
|
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3723 size_t len; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3724 ngx_slab_pool_t *shpool; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3725 ngx_ssl_session_cache_t *cache; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3726 |
|
993
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3727 if (data) { |
|
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3728 shm_zone->data = data; |
|
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3729 return NGX_OK; |
|
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3730 } |
|
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3731 |
|
5640
4c6ceca4f5f7
Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5634
diff
changeset
|
3732 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
|
4c6ceca4f5f7
Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5634
diff
changeset
|
3733 |
|
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3734 if (shm_zone->shm.exists) { |
|
5640
4c6ceca4f5f7
Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5634
diff
changeset
|
3735 shm_zone->data = shpool->data; |
|
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3736 return NGX_OK; |
|
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3737 } |
|
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3738 |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3739 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t)); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3740 if (cache == NULL) { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3741 return NGX_ERROR; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3742 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3743 |
|
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3744 shpool->data = cache; |
|
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3745 shm_zone->data = cache; |
|
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3746 |
|
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3747 ngx_rbtree_init(&cache->session_rbtree, &cache->sentinel, |
|
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3748 ngx_ssl_session_rbtree_insert_value); |
|
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3749 |
| 1760 | 3750 ngx_queue_init(&cache->expire_queue); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3751 |
|
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
3752 len = sizeof(" in SSL session shared cache \"\"") + shm_zone->shm.name.len; |
|
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3753 |
|
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3754 shpool->log_ctx = ngx_slab_alloc(shpool, len); |
|
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3755 if (shpool->log_ctx == NULL) { |
|
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3756 return NGX_ERROR; |
|
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3757 } |
|
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3758 |
|
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3759 ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z", |
|
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
3760 &shm_zone->shm.name); |
|
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3761 |
|
5634
5024d29354f1
Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
3762 shpool->log_nomem = 0; |
|
5024d29354f1
Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
3763 |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3764 return NGX_OK; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3765 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3766 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3767 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3768 /* |
|
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3769 * The length of the session id is 16 bytes for SSLv2 sessions and |
|
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3770 * between 1 and 32 bytes for SSLv3/TLSv1, typically 32 bytes. |
|
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3771 * It seems that the typical length of the external ASN1 representation |
|
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3772 * of a session is 118 or 119 bytes for SSLv3/TSLv1. |
|
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3773 * |
|
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3774 * Thus on 32-bit platforms we allocate separately an rbtree node, |
|
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3775 * a session id, and an ASN1 representation, they take accordingly |
|
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3776 * 64, 32, and 128 bytes. |
|
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3777 * |
|
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3778 * On 64-bit platforms we allocate separately an rbtree node + session_id, |
|
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3779 * and an ASN1 representation, they take accordingly 128 and 128 bytes. |
|
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3780 * |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3781 * OpenSSL's i2d_SSL_SESSION() and d2i_SSL_SESSION are slow, |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3782 * so they are outside the code locked by shared pool mutex |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3783 */ |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3784 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3785 static int |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3786 ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3787 { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3788 int len; |
|
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3789 u_char *p, *id, *cached_sess, *session_id; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3790 uint32_t hash; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3791 SSL_CTX *ssl_ctx; |
|
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3792 unsigned int session_id_length; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3793 ngx_shm_zone_t *shm_zone; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3794 ngx_connection_t *c; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3795 ngx_slab_pool_t *shpool; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3796 ngx_ssl_sess_id_t *sess_id; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3797 ngx_ssl_session_cache_t *cache; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3798 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3799 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3800 len = i2d_SSL_SESSION(sess, NULL); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3801 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3802 /* do not cache too big session */ |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3803 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3804 if (len > (int) NGX_SSL_MAX_SESSION_SIZE) { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3805 return 0; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3806 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3807 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3808 p = buf; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3809 i2d_SSL_SESSION(sess, &p); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3810 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3811 c = ngx_ssl_get_connection(ssl_conn); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3812 |
|
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
3813 ssl_ctx = c->ssl->session_ctx; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3814 shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3815 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3816 cache = shm_zone->data; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3817 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3818 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3819 ngx_shmtx_lock(&shpool->mutex); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3820 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3821 /* drop one or two expired sessions */ |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3822 ngx_ssl_expire_sessions(cache, shpool, 1); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3823 |
|
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3824 cached_sess = ngx_slab_alloc_locked(shpool, len); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3825 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3826 if (cached_sess == NULL) { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3827 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3828 /* drop the oldest non-expired session and try once more */ |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3829 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3830 ngx_ssl_expire_sessions(cache, shpool, 0); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3831 |
|
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3832 cached_sess = ngx_slab_alloc_locked(shpool, len); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3833 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3834 if (cached_sess == NULL) { |
|
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3835 sess_id = NULL; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3836 goto failed; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3837 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3838 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3839 |
|
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3840 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t)); |
|
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3841 |
|
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3842 if (sess_id == NULL) { |
|
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3843 |
|
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3844 /* drop the oldest non-expired session and try once more */ |
|
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3845 |
|
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3846 ngx_ssl_expire_sessions(cache, shpool, 0); |
|
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3847 |
|
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3848 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t)); |
|
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3849 |
|
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3850 if (sess_id == NULL) { |
|
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3851 goto failed; |
|
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3852 } |
|
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3853 } |
|
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3854 |
|
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3855 session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length); |
|
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3856 |
|
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3857 #if (NGX_PTR_SIZE == 8) |
|
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3858 |
|
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3859 id = sess_id->sess_id; |
|
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3860 |
|
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3861 #else |
|
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3862 |
|
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3863 id = ngx_slab_alloc_locked(shpool, session_id_length); |
|
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3864 |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3865 if (id == NULL) { |
|
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3866 |
|
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3867 /* drop the oldest non-expired session and try once more */ |
|
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3868 |
|
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3869 ngx_ssl_expire_sessions(cache, shpool, 0); |
|
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3870 |
|
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3871 id = ngx_slab_alloc_locked(shpool, session_id_length); |
|
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3872 |
|
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3873 if (id == NULL) { |
|
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3874 goto failed; |
|
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3875 } |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3876 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3877 |
|
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3878 #endif |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3879 |
|
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3880 ngx_memcpy(cached_sess, buf, len); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3881 |
|
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3882 ngx_memcpy(id, session_id, session_id_length); |
|
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3883 |
|
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3884 hash = ngx_crc32_short(session_id, session_id_length); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3885 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3886 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3887 "ssl new session: %08XD:%ud:%d", |
|
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3888 hash, session_id_length, len); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3889 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3890 sess_id->node.key = hash; |
|
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3891 sess_id->node.data = (u_char) session_id_length; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3892 sess_id->id = id; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3893 sess_id->len = len; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3894 sess_id->session = cached_sess; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3895 |
|
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
3896 sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3897 |
| 1760 | 3898 ngx_queue_insert_head(&cache->expire_queue, &sess_id->queue); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3899 |
|
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3900 ngx_rbtree_insert(&cache->session_rbtree, &sess_id->node); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3901 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3902 ngx_shmtx_unlock(&shpool->mutex); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3903 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3904 return 0; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3905 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3906 failed: |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3907 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3908 if (cached_sess) { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3909 ngx_slab_free_locked(shpool, cached_sess); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3910 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3911 |
|
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3912 if (sess_id) { |
|
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3913 ngx_slab_free_locked(shpool, sess_id); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3914 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3915 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3916 ngx_shmtx_unlock(&shpool->mutex); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3917 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3918 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
|
5634
5024d29354f1
Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
3919 "could not allocate new session%s", shpool->log_ctx); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3920 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3921 return 0; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3922 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3923 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3924 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3925 static ngx_ssl_session_t * |
|
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3926 ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, |
|
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3927 #if OPENSSL_VERSION_NUMBER >= 0x10100003L |
|
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3928 const |
|
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3929 #endif |
|
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3930 u_char *id, int len, int *copy) |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3931 { |
|
7365
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
3932 size_t slen; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3933 uint32_t hash; |
|
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3934 ngx_int_t rc; |
|
7509
b99cbafd51da
SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7484
diff
changeset
|
3935 const u_char *p; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3936 ngx_shm_zone_t *shm_zone; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3937 ngx_slab_pool_t *shpool; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3938 ngx_rbtree_node_t *node, *sentinel; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3939 ngx_ssl_session_t *sess; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3940 ngx_ssl_sess_id_t *sess_id; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3941 ngx_ssl_session_cache_t *cache; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3942 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; |
|
3961
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
3943 ngx_connection_t *c; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3944 |
|
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3945 hash = ngx_crc32_short((u_char *) (uintptr_t) id, (size_t) len); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3946 *copy = 0; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3947 |
|
3961
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
3948 c = ngx_ssl_get_connection(ssl_conn); |
|
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
3949 |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3950 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
| 3155 | 3951 "ssl get session: %08XD:%d", hash, len); |
|
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
3952 |
|
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
3953 shm_zone = SSL_CTX_get_ex_data(c->ssl->session_ctx, |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3954 ngx_ssl_session_cache_index); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3955 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3956 cache = shm_zone->data; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3957 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3958 sess = NULL; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3959 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3960 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3961 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3962 ngx_shmtx_lock(&shpool->mutex); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3963 |
|
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3964 node = cache->session_rbtree.root; |
|
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3965 sentinel = cache->session_rbtree.sentinel; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3966 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3967 while (node != sentinel) { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3968 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3969 if (hash < node->key) { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3970 node = node->left; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3971 continue; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3972 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3973 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3974 if (hash > node->key) { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3975 node = node->right; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3976 continue; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3977 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3978 |
|
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
3979 /* hash == node->key */ |
|
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
3980 |
|
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3981 sess_id = (ngx_ssl_sess_id_t *) node; |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3982 |
|
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3983 rc = ngx_memn2cmp((u_char *) (uintptr_t) id, sess_id->id, |
|
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3984 (size_t) len, (size_t) node->data); |
|
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3985 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3986 if (rc == 0) { |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3987 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3988 if (sess_id->expire > ngx_time()) { |
|
7365
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
3989 slen = sess_id->len; |
|
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
3990 |
|
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
3991 ngx_memcpy(buf, sess_id->session, slen); |
|
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3992 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3993 ngx_shmtx_unlock(&shpool->mutex); |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3994 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3995 p = buf; |
|
7365
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
3996 sess = d2i_SSL_SESSION(NULL, &p, slen); |
|
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3997 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3998 return sess; |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3999 } |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4000 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4001 ngx_queue_remove(&sess_id->queue); |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4002 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4003 ngx_rbtree_delete(&cache->session_rbtree, node); |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4004 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4005 ngx_slab_free_locked(shpool, sess_id->session); |
|
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4006 #if (NGX_PTR_SIZE == 4) |
|
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4007 ngx_slab_free_locked(shpool, sess_id->id); |
|
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4008 #endif |
|
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4009 ngx_slab_free_locked(shpool, sess_id); |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4010 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4011 sess = NULL; |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4012 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4013 goto done; |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4014 } |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4015 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4016 node = (rc < 0) ? node->left : node->right; |
|
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4017 } |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4018 |
|
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4019 done: |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4020 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4021 ngx_shmtx_unlock(&shpool->mutex); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4022 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4023 return sess; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4024 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4025 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4026 |
|
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4027 void |
|
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4028 ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) |
|
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4029 { |
| 6474 | 4030 SSL_CTX_remove_session(ssl, sess); |
| 4031 | |
| 4032 ngx_ssl_remove_session(ssl, sess); | |
|
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4033 } |
|
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4034 |
|
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4035 |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4036 static void |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4037 ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4038 { |
|
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4039 u_char *id; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4040 uint32_t hash; |
|
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4041 ngx_int_t rc; |
|
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4042 unsigned int len; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4043 ngx_shm_zone_t *shm_zone; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4044 ngx_slab_pool_t *shpool; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4045 ngx_rbtree_node_t *node, *sentinel; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4046 ngx_ssl_sess_id_t *sess_id; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4047 ngx_ssl_session_cache_t *cache; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4048 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4049 shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4050 |
|
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4051 if (shm_zone == NULL) { |
|
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4052 return; |
|
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4053 } |
|
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4054 |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4055 cache = shm_zone->data; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4056 |
|
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4057 id = (u_char *) SSL_SESSION_get_id(sess, &len); |
|
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4058 |
|
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4059 hash = ngx_crc32_short(id, len); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4060 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4061 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, |
|
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4062 "ssl remove session: %08XD:%ud", hash, len); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4063 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4064 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4065 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4066 ngx_shmtx_lock(&shpool->mutex); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4067 |
|
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
4068 node = cache->session_rbtree.root; |
|
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
4069 sentinel = cache->session_rbtree.sentinel; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4070 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4071 while (node != sentinel) { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4072 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4073 if (hash < node->key) { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4074 node = node->left; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4075 continue; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4076 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4077 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4078 if (hash > node->key) { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4079 node = node->right; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4080 continue; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4081 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4082 |
|
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4083 /* hash == node->key */ |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4084 |
|
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4085 sess_id = (ngx_ssl_sess_id_t *) node; |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4086 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4087 rc = ngx_memn2cmp(id, sess_id->id, len, (size_t) node->data); |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4088 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4089 if (rc == 0) { |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4090 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4091 ngx_queue_remove(&sess_id->queue); |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4092 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4093 ngx_rbtree_delete(&cache->session_rbtree, node); |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4094 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4095 ngx_slab_free_locked(shpool, sess_id->session); |
|
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4096 #if (NGX_PTR_SIZE == 4) |
|
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4097 ngx_slab_free_locked(shpool, sess_id->id); |
|
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4098 #endif |
|
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4099 ngx_slab_free_locked(shpool, sess_id); |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4100 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4101 goto done; |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4102 } |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4103 |
|
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4104 node = (rc < 0) ? node->left : node->right; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4105 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4106 |
|
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4107 done: |
|
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4108 |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4109 ngx_shmtx_unlock(&shpool->mutex); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4110 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4111 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4112 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4113 static void |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4114 ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4115 ngx_slab_pool_t *shpool, ngx_uint_t n) |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4116 { |
|
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
4117 time_t now; |
| 1760 | 4118 ngx_queue_t *q; |
|
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
4119 ngx_ssl_sess_id_t *sess_id; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4120 |
|
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
4121 now = ngx_time(); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4122 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4123 while (n < 3) { |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4124 |
| 1760 | 4125 if (ngx_queue_empty(&cache->expire_queue)) { |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4126 return; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4127 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4128 |
| 1760 | 4129 q = ngx_queue_last(&cache->expire_queue); |
| 4130 | |
| 4131 sess_id = ngx_queue_data(q, ngx_ssl_sess_id_t, queue); | |
| 4132 | |
|
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
4133 if (n++ != 0 && sess_id->expire > now) { |
| 1439 | 4134 return; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4135 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4136 |
| 1760 | 4137 ngx_queue_remove(q); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4138 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4139 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4140 "expire session: %08Xi", sess_id->node.key); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4141 |
| 1760 | 4142 ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node); |
| 4143 | |
|
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
4144 ngx_slab_free_locked(shpool, sess_id->session); |
|
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4145 #if (NGX_PTR_SIZE == 4) |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4146 ngx_slab_free_locked(shpool, sess_id->id); |
|
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4147 #endif |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4148 ngx_slab_free_locked(shpool, sess_id); |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4149 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4150 } |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4151 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4152 |
|
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4153 static void |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4154 ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4155 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel) |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4156 { |
|
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4157 ngx_rbtree_node_t **p; |
|
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4158 ngx_ssl_sess_id_t *sess_id, *sess_id_temp; |
|
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4159 |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4160 for ( ;; ) { |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4161 |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4162 if (node->key < temp->key) { |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4163 |
|
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4164 p = &temp->left; |
|
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4165 |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4166 } else if (node->key > temp->key) { |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4167 |
|
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4168 p = &temp->right; |
|
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4169 |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4170 } else { /* node->key == temp->key */ |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4171 |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4172 sess_id = (ngx_ssl_sess_id_t *) node; |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4173 sess_id_temp = (ngx_ssl_sess_id_t *) temp; |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4174 |
|
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4175 p = (ngx_memn2cmp(sess_id->id, sess_id_temp->id, |
|
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4176 (size_t) node->data, (size_t) temp->data) |
|
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4177 < 0) ? &temp->left : &temp->right; |
|
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4178 } |
|
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4179 |
|
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4180 if (*p == sentinel) { |
|
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4181 break; |
|
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4182 } |
|
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4183 |
|
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4184 temp = *p; |
|
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4185 } |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4186 |
|
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4187 *p = node; |
|
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4188 node->parent = temp; |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4189 node->left = sentinel; |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4190 node->right = sentinel; |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4191 ngx_rbt_red(node); |
|
1043
7073b87fa8e9
style fix: remove trailing spaces
Igor Sysoev <igor@sysoev.ru>
parents:
1029
diff
changeset
|
4192 } |
|
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4193 |
|
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4194 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4195 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4196 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4197 ngx_int_t |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4198 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4199 { |
|
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4200 u_char buf[80]; |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4201 size_t size; |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4202 ssize_t n; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4203 ngx_str_t *path; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4204 ngx_file_t file; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4205 ngx_uint_t i; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4206 ngx_array_t *keys; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4207 ngx_file_info_t fi; |
|
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4208 ngx_pool_cleanup_t *cln; |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4209 ngx_ssl_session_ticket_key_t *key; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4210 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4211 if (paths == NULL) { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4212 return NGX_OK; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4213 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4214 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4215 keys = ngx_array_create(cf->pool, paths->nelts, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4216 sizeof(ngx_ssl_session_ticket_key_t)); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4217 if (keys == NULL) { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4218 return NGX_ERROR; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4219 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4220 |
|
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4221 cln = ngx_pool_cleanup_add(cf->pool, 0); |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4222 if (cln == NULL) { |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4223 return NGX_ERROR; |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4224 } |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4225 |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4226 cln->handler = ngx_ssl_session_ticket_keys_cleanup; |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4227 cln->data = keys; |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4228 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4229 path = paths->elts; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4230 for (i = 0; i < paths->nelts; i++) { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4231 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4232 if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4233 return NGX_ERROR; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4234 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4235 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4236 ngx_memzero(&file, sizeof(ngx_file_t)); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4237 file.name = path[i]; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4238 file.log = cf->log; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4239 |
|
7087
47b7ffc3339d
Fixed calls to ngx_open_file() in certain places.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7086
diff
changeset
|
4240 file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, |
|
47b7ffc3339d
Fixed calls to ngx_open_file() in certain places.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7086
diff
changeset
|
4241 NGX_FILE_OPEN, 0); |
| 7086 | 4242 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4243 if (file.fd == NGX_INVALID_FILE) { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4244 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4245 ngx_open_file_n " \"%V\" failed", &file.name); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4246 return NGX_ERROR; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4247 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4248 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4249 if (ngx_fd_info(file.fd, &fi) == NGX_FILE_ERROR) { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4250 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4251 ngx_fd_info_n " \"%V\" failed", &file.name); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4252 goto failed; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4253 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4254 |
|
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4255 size = ngx_file_size(&fi); |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4256 |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4257 if (size != 48 && size != 80) { |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4258 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
|
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4259 "\"%V\" must be 48 or 80 bytes", &file.name); |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4260 goto failed; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4261 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4262 |
|
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4263 n = ngx_read_file(&file, buf, size, 0); |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4264 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4265 if (n == NGX_ERROR) { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4266 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4267 ngx_read_file_n " \"%V\" failed", &file.name); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4268 goto failed; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4269 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4270 |
|
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4271 if ((size_t) n != size) { |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4272 ngx_conf_log_error(NGX_LOG_CRIT, cf, 0, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4273 ngx_read_file_n " \"%V\" returned only " |
|
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4274 "%z bytes instead of %uz", &file.name, n, size); |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4275 goto failed; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4276 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4277 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4278 key = ngx_array_push(keys); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4279 if (key == NULL) { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4280 goto failed; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4281 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4282 |
|
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4283 if (size == 48) { |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4284 key->size = 48; |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4285 ngx_memcpy(key->name, buf, 16); |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4286 ngx_memcpy(key->aes_key, buf + 16, 16); |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4287 ngx_memcpy(key->hmac_key, buf + 32, 16); |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4288 |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4289 } else { |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4290 key->size = 80; |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4291 ngx_memcpy(key->name, buf, 16); |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4292 ngx_memcpy(key->hmac_key, buf + 16, 32); |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4293 ngx_memcpy(key->aes_key, buf + 48, 32); |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4294 } |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4295 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4296 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4297 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4298 ngx_close_file_n " \"%V\" failed", &file.name); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4299 } |
|
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4300 |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4301 ngx_explicit_memzero(&buf, 80); |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4302 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4303 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4304 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4305 == 0) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4306 { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4307 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4308 "SSL_CTX_set_ex_data() failed"); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4309 return NGX_ERROR; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4310 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4311 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4312 if (SSL_CTX_set_tlsext_ticket_key_cb(ssl->ctx, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4313 ngx_ssl_session_ticket_key_callback) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4314 == 0) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4315 { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4316 ngx_log_error(NGX_LOG_WARN, cf->log, 0, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4317 "nginx was built with Session Tickets support, however, " |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4318 "now it is linked dynamically to an OpenSSL library " |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4319 "which has no tlsext support, therefore Session Tickets " |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4320 "are not available"); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4321 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4322 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4323 return NGX_OK; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4324 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4325 failed: |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4326 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4327 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4328 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4329 ngx_close_file_n " \"%V\" failed", &file.name); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4330 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4331 |
|
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4332 ngx_explicit_memzero(&buf, 80); |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4333 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4334 return NGX_ERROR; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4335 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4336 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4337 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4338 static int |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4339 ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4340 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4341 HMAC_CTX *hctx, int enc) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4342 { |
|
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4343 size_t size; |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4344 SSL_CTX *ssl_ctx; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4345 ngx_uint_t i; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4346 ngx_array_t *keys; |
|
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
4347 ngx_connection_t *c; |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4348 ngx_ssl_session_ticket_key_t *key; |
|
6686
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4349 const EVP_MD *digest; |
|
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4350 const EVP_CIPHER *cipher; |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4351 |
|
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
4352 c = ngx_ssl_get_connection(ssl_conn); |
|
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
4353 ssl_ctx = c->ssl->session_ctx; |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4354 |
|
6686
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4355 #ifdef OPENSSL_NO_SHA256 |
|
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4356 digest = EVP_sha1(); |
|
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4357 #else |
|
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4358 digest = EVP_sha256(); |
|
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4359 #endif |
|
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4360 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4361 keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4362 if (keys == NULL) { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4363 return -1; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4364 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4365 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4366 key = keys->elts; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4367 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4368 if (enc == 1) { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4369 /* encrypt session ticket */ |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4370 |
|
5657
3b48f9e69e70
SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5640
diff
changeset
|
4371 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
7736
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7732
diff
changeset
|
4372 "ssl session ticket encrypt, key: \"%*xs\" (%s session)", |
|
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7732
diff
changeset
|
4373 (size_t) 16, key[0].name, |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4374 SSL_session_reused(ssl_conn) ? "reused" : "new"); |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4375 |
|
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4376 if (key[0].size == 48) { |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4377 cipher = EVP_aes_128_cbc(); |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4378 size = 16; |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4379 |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4380 } else { |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4381 cipher = EVP_aes_256_cbc(); |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4382 size = 32; |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4383 } |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4384 |
|
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4385 if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) { |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4386 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "RAND_bytes() failed"); |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4387 return -1; |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4388 } |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4389 |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4390 if (EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv) != 1) { |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4391 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4392 "EVP_EncryptInit_ex() failed"); |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4393 return -1; |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4394 } |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4395 |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4396 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
|
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4397 if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { |
|
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4398 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4399 return -1; |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4400 } |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4401 #else |
|
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4402 HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL); |
|
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4403 #endif |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4404 |
|
5760
4b668378ad8b
Style: use ngx_memcpy() instead of memcpy().
Piotr Sikora <piotr@cloudflare.com>
parents:
5756
diff
changeset
|
4405 ngx_memcpy(name, key[0].name, 16); |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4406 |
|
6660
3eb1a92a2f05
SSL: adopted session ticket handling for OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6659
diff
changeset
|
4407 return 1; |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4408 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4409 } else { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4410 /* decrypt session ticket */ |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4411 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4412 for (i = 0; i < keys->nelts; i++) { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4413 if (ngx_memcmp(name, key[i].name, 16) == 0) { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4414 goto found; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4415 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4416 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4417 |
|
5657
3b48f9e69e70
SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5640
diff
changeset
|
4418 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
7736
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7732
diff
changeset
|
4419 "ssl session ticket decrypt, key: \"%*xs\" not found", |
|
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7732
diff
changeset
|
4420 (size_t) 16, name); |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4421 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4422 return 0; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4423 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4424 found: |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4425 |
|
5657
3b48f9e69e70
SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5640
diff
changeset
|
4426 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
7736
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7732
diff
changeset
|
4427 "ssl session ticket decrypt, key: \"%*xs\"%s", |
|
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7732
diff
changeset
|
4428 (size_t) 16, key[i].name, (i == 0) ? " (default)" : ""); |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4429 |
|
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4430 if (key[i].size == 48) { |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4431 cipher = EVP_aes_128_cbc(); |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4432 size = 16; |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4433 |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4434 } else { |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4435 cipher = EVP_aes_256_cbc(); |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4436 size = 32; |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4437 } |
|
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4438 |
|
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4439 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
|
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4440 if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { |
|
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4441 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4442 return -1; |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4443 } |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4444 #else |
|
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4445 HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL); |
|
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4446 #endif |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4447 |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4448 if (EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv) != 1) { |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4449 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4450 "EVP_DecryptInit_ex() failed"); |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4451 return -1; |
|
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4452 } |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4453 |
|
7997
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4454 /* renew if TLSv1.3 */ |
|
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4455 |
|
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4456 #ifdef TLS1_3_VERSION |
|
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4457 if (SSL_version(ssl_conn) == TLS1_3_VERSION) { |
|
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4458 return 2; |
|
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4459 } |
|
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4460 #endif |
|
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4461 |
|
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4462 /* renew if non-default key */ |
|
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4463 |
|
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4464 if (i != 0) { |
|
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4465 return 2; |
|
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4466 } |
|
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4467 |
|
e30f7dc7f143
SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7994
diff
changeset
|
4468 return 1; |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4469 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4470 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4471 |
|
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4472 |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4473 static void |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4474 ngx_ssl_session_ticket_keys_cleanup(void *data) |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4475 { |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4476 ngx_array_t *keys = data; |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4477 |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4478 ngx_explicit_memzero(keys->elts, |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4479 keys->nelts * sizeof(ngx_ssl_session_ticket_key_t)); |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4480 } |
|
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4481 |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4482 #else |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4483 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4484 ngx_int_t |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4485 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4486 { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4487 if (paths) { |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4488 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
|
7074
07a49cce21ca
SSL: fixed typo in the error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6995
diff
changeset
|
4489 "\"ssl_session_ticket_key\" ignored, not supported"); |
|
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4490 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4491 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4492 return NGX_OK; |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4493 } |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4494 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4495 #endif |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4496 |
|
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4497 |
| 509 | 4498 void |
| 4499 ngx_ssl_cleanup_ctx(void *data) | |
| 4500 { | |
| 589 | 4501 ngx_ssl_t *ssl = data; |
| 509 | 4502 |
|
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4503 X509 *cert, *next; |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4504 |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4505 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4506 |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4507 while (cert) { |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4508 next = X509_get_ex_data(cert, ngx_ssl_next_certificate_index); |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4509 X509_free(cert); |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4510 cert = next; |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4511 } |
|
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4512 |
| 589 | 4513 SSL_CTX_free(ssl->ctx); |
| 509 | 4514 } |
| 541 | 4515 |
| 4516 | |
| 671 | 4517 ngx_int_t |
|
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4518 ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name) |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4519 { |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4520 X509 *cert; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4521 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4522 cert = SSL_get_peer_certificate(c->ssl->connection); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4523 if (cert == NULL) { |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4524 return NGX_ERROR; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4525 } |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4526 |
|
6725
9b9ae81cd4f0
SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6699
diff
changeset
|
4527 #ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
|
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4528 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4529 /* X509_check_host() is only available in OpenSSL 1.0.2+ */ |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4530 |
|
5669
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4531 if (name->len == 0) { |
|
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4532 goto failed; |
|
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4533 } |
|
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4534 |
|
5767
abd460ece11e
SSL: fix build with recent OpenSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5760
diff
changeset
|
4535 if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) { |
|
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4536 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4537 "X509_check_host(): no match"); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4538 goto failed; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4539 } |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4540 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4541 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4542 "X509_check_host(): match"); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4543 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4544 goto found; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4545 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4546 #else |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4547 { |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4548 int n, i; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4549 X509_NAME *sname; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4550 ASN1_STRING *str; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4551 X509_NAME_ENTRY *entry; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4552 GENERAL_NAME *altname; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4553 STACK_OF(GENERAL_NAME) *altnames; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4554 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4555 /* |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4556 * As per RFC6125 and RFC2818, we check subjectAltName extension, |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4557 * and if it's not present - commonName in Subject is checked. |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4558 */ |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4559 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4560 altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4561 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4562 if (altnames) { |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4563 n = sk_GENERAL_NAME_num(altnames); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4564 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4565 for (i = 0; i < n; i++) { |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4566 altname = sk_GENERAL_NAME_value(altnames, i); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4567 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4568 if (altname->type != GEN_DNS) { |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4569 continue; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4570 } |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4571 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4572 str = altname->d.dNSName; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4573 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4574 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4575 "SSL subjectAltName: \"%*s\"", |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4576 ASN1_STRING_length(str), ASN1_STRING_data(str)); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4577 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4578 if (ngx_ssl_check_name(name, str) == NGX_OK) { |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4579 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4580 "SSL subjectAltName: match"); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4581 GENERAL_NAMES_free(altnames); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4582 goto found; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4583 } |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4584 } |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4585 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4586 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4587 "SSL subjectAltName: no match"); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4588 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4589 GENERAL_NAMES_free(altnames); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4590 goto failed; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4591 } |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4592 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4593 /* |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4594 * If there is no subjectAltName extension, check commonName |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4595 * in Subject. While RFC2818 requires to only check "most specific" |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4596 * CN, both Apache and OpenSSL check all CNs, and so do we. |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4597 */ |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4598 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4599 sname = X509_get_subject_name(cert); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4600 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4601 if (sname == NULL) { |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4602 goto failed; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4603 } |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4604 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4605 i = -1; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4606 for ( ;; ) { |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4607 i = X509_NAME_get_index_by_NID(sname, NID_commonName, i); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4608 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4609 if (i < 0) { |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4610 break; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4611 } |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4612 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4613 entry = X509_NAME_get_entry(sname, i); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4614 str = X509_NAME_ENTRY_get_data(entry); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4615 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4616 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4617 "SSL commonName: \"%*s\"", |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4618 ASN1_STRING_length(str), ASN1_STRING_data(str)); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4619 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4620 if (ngx_ssl_check_name(name, str) == NGX_OK) { |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4621 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4622 "SSL commonName: match"); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4623 goto found; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4624 } |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4625 } |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4626 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4627 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4628 "SSL commonName: no match"); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4629 } |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4630 #endif |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4631 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4632 failed: |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4633 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4634 X509_free(cert); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4635 return NGX_ERROR; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4636 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4637 found: |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4638 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4639 X509_free(cert); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4640 return NGX_OK; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4641 } |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4642 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4643 |
|
6725
9b9ae81cd4f0
SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6699
diff
changeset
|
4644 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
|
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4645 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4646 static ngx_int_t |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4647 ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern) |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4648 { |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4649 u_char *s, *p, *end; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4650 size_t slen, plen; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4651 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4652 s = name->data; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4653 slen = name->len; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4654 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4655 p = ASN1_STRING_data(pattern); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4656 plen = ASN1_STRING_length(pattern); |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4657 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4658 if (slen == plen && ngx_strncasecmp(s, p, plen) == 0) { |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4659 return NGX_OK; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4660 } |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4661 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4662 if (plen > 2 && p[0] == '*' && p[1] == '.') { |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4663 plen -= 1; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4664 p += 1; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4665 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4666 end = s + slen; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4667 s = ngx_strlchr(s, end, '.'); |
|
5666
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4668 |
|
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4669 if (s == NULL) { |
|
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4670 return NGX_ERROR; |
|
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4671 } |
|
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4672 |
|
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4673 slen = end - s; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4674 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4675 if (plen == slen && ngx_strncasecmp(s, p, plen) == 0) { |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4676 return NGX_OK; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4677 } |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4678 } |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4679 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4680 return NGX_ERROR; |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4681 } |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4682 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4683 #endif |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4684 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4685 |
|
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4686 ngx_int_t |
| 671 | 4687 ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
| 611 | 4688 { |
| 671 | 4689 s->data = (u_char *) SSL_get_version(c->ssl->connection); |
| 4690 return NGX_OK; | |
| 611 | 4691 } |
| 4692 | |
| 4693 | |
| 671 | 4694 ngx_int_t |
| 4695 ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
| 611 | 4696 { |
| 671 | 4697 s->data = (u_char *) SSL_get_cipher_name(c->ssl->connection); |
| 4698 return NGX_OK; | |
| 611 | 4699 } |
| 4700 | |
| 4701 | |
| 647 | 4702 ngx_int_t |
|
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4703 ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4704 { |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4705 #ifdef SSL_CTRL_GET_RAW_CIPHERLIST |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4706 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4707 int n, i, bytes; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4708 size_t len; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4709 u_char *ciphers, *p; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4710 const SSL_CIPHER *cipher; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4711 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4712 bytes = SSL_get0_raw_cipherlist(c->ssl->connection, NULL); |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4713 n = SSL_get0_raw_cipherlist(c->ssl->connection, &ciphers); |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4714 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4715 if (n <= 0) { |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4716 s->len = 0; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4717 return NGX_OK; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4718 } |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4719 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4720 len = 0; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4721 n /= bytes; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4722 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4723 for (i = 0; i < n; i++) { |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4724 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes); |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4725 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4726 if (cipher) { |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4727 len += ngx_strlen(SSL_CIPHER_get_name(cipher)); |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4728 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4729 } else { |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4730 len += sizeof("0x") - 1 + bytes * (sizeof("00") - 1); |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4731 } |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4732 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4733 len += sizeof(":") - 1; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4734 } |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4735 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4736 s->data = ngx_pnalloc(pool, len); |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4737 if (s->data == NULL) { |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4738 return NGX_ERROR; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4739 } |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4740 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4741 p = s->data; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4742 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4743 for (i = 0; i < n; i++) { |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4744 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes); |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4745 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4746 if (cipher) { |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4747 p = ngx_sprintf(p, "%s", SSL_CIPHER_get_name(cipher)); |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4748 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4749 } else { |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4750 p = ngx_sprintf(p, "0x"); |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4751 p = ngx_hex_dump(p, ciphers + i * bytes, bytes); |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4752 } |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4753 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4754 *p++ = ':'; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4755 } |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4756 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4757 p--; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4758 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4759 s->len = p - s->data; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4760 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4761 #else |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4762 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4763 u_char buf[4096]; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4764 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4765 if (SSL_get_shared_ciphers(c->ssl->connection, (char *) buf, 4096) |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4766 == NULL) |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4767 { |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4768 s->len = 0; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4769 return NGX_OK; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4770 } |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4771 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4772 s->len = ngx_strlen(buf); |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4773 s->data = ngx_pnalloc(pool, s->len); |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4774 if (s->data == NULL) { |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4775 return NGX_ERROR; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4776 } |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4777 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4778 ngx_memcpy(s->data, buf, s->len); |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4779 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4780 #endif |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4781 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4782 return NGX_OK; |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4783 } |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4784 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4785 |
|
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4786 ngx_int_t |
|
7973
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4787 ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4788 { |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4789 #ifdef SSL_get_negotiated_group |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4790 |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4791 int nid; |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4792 |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4793 nid = SSL_get_negotiated_group(c->ssl->connection); |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4794 |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4795 if (nid != NID_undef) { |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4796 |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4797 if ((nid & TLSEXT_nid_unknown) == 0) { |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4798 s->len = ngx_strlen(OBJ_nid2sn(nid)); |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4799 s->data = (u_char *) OBJ_nid2sn(nid); |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4800 return NGX_OK; |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4801 } |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4802 |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4803 s->len = sizeof("0x0000") - 1; |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4804 |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4805 s->data = ngx_pnalloc(pool, s->len); |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4806 if (s->data == NULL) { |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4807 return NGX_ERROR; |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4808 } |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4809 |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4810 ngx_sprintf(s->data, "0x%04xd", nid & 0xffff); |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4811 |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4812 return NGX_OK; |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4813 } |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4814 |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4815 #endif |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4816 |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4817 s->len = 0; |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4818 return NGX_OK; |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4819 } |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4820 |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4821 |
|
3443c02ca1d1
SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents:
7941
diff
changeset
|
4822 ngx_int_t |
|
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4823 ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4824 { |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4825 #ifdef SSL_CTRL_GET_CURVES |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4826 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4827 int *curves, n, i, nid; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4828 u_char *p; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4829 size_t len; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4830 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4831 n = SSL_get1_curves(c->ssl->connection, NULL); |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4832 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4833 if (n <= 0) { |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4834 s->len = 0; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4835 return NGX_OK; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4836 } |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4837 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4838 curves = ngx_palloc(pool, n * sizeof(int)); |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4839 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4840 n = SSL_get1_curves(c->ssl->connection, curves); |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4841 len = 0; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4842 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4843 for (i = 0; i < n; i++) { |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4844 nid = curves[i]; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4845 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4846 if (nid & TLSEXT_nid_unknown) { |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4847 len += sizeof("0x0000") - 1; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4848 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4849 } else { |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4850 len += ngx_strlen(OBJ_nid2sn(nid)); |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4851 } |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4852 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4853 len += sizeof(":") - 1; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4854 } |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4855 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4856 s->data = ngx_pnalloc(pool, len); |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4857 if (s->data == NULL) { |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4858 return NGX_ERROR; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4859 } |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4860 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4861 p = s->data; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4862 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4863 for (i = 0; i < n; i++) { |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4864 nid = curves[i]; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4865 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4866 if (nid & TLSEXT_nid_unknown) { |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4867 p = ngx_sprintf(p, "0x%04xd", nid & 0xffff); |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4868 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4869 } else { |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4870 p = ngx_sprintf(p, "%s", OBJ_nid2sn(nid)); |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4871 } |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4872 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4873 *p++ = ':'; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4874 } |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4875 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4876 p--; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4877 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4878 s->len = p - s->data; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4879 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4880 #else |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4881 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4882 s->len = 0; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4883 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4884 #endif |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4885 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4886 return NGX_OK; |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4887 } |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4888 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4889 |
|
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4890 ngx_int_t |
| 3154 | 4891 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
| 4892 { | |
|
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4893 u_char *buf; |
|
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4894 SSL_SESSION *sess; |
|
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4895 unsigned int len; |
| 3154 | 4896 |
| 4897 sess = SSL_get0_session(c->ssl->connection); | |
|
5537
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
4898 if (sess == NULL) { |
|
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
4899 s->len = 0; |
|
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
4900 return NGX_OK; |
|
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
4901 } |
| 3154 | 4902 |
|
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4903 buf = (u_char *) SSL_SESSION_get_id(sess, &len); |
|
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4904 |
| 3154 | 4905 s->len = 2 * len; |
| 4906 s->data = ngx_pnalloc(pool, 2 * len); | |
| 4907 if (s->data == NULL) { | |
| 4908 return NGX_ERROR; | |
| 4909 } | |
| 4910 | |
| 4911 ngx_hex_dump(s->data, buf, len); | |
| 4912 | |
| 4913 return NGX_OK; | |
| 4914 } | |
| 4915 | |
| 4916 | |
| 4917 ngx_int_t | |
|
5573
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4918 ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
|
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4919 { |
|
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4920 if (SSL_session_reused(c->ssl->connection)) { |
|
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4921 ngx_str_set(s, "r"); |
|
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4922 |
|
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4923 } else { |
|
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4924 ngx_str_set(s, "."); |
|
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4925 } |
|
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4926 |
|
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4927 return NGX_OK; |
|
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4928 } |
|
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4929 |
|
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4930 |
|
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4931 ngx_int_t |
|
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4932 ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4933 { |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4934 s->len = 0; |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4935 |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4936 #ifdef SSL_ERROR_EARLY_DATA_REJECTED |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4937 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4938 /* BoringSSL */ |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4939 |
|
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4940 if (SSL_in_early_data(c->ssl->connection)) { |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4941 ngx_str_set(s, "1"); |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4942 } |
|
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4943 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4944 #elif defined SSL_READ_EARLY_DATA_SUCCESS |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4945 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4946 /* OpenSSL */ |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4947 |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4948 if (!SSL_is_init_finished(c->ssl->connection)) { |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4949 ngx_str_set(s, "1"); |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4950 } |
|
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4951 |
|
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4952 #endif |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4953 |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4954 return NGX_OK; |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4955 } |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4956 |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4957 |
|
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4958 ngx_int_t |
|
5658
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4959 ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
|
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4960 { |
|
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4961 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
|
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4962 |
|
7092
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4963 size_t len; |
|
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4964 const char *name; |
|
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4965 |
|
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4966 name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name); |
|
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4967 |
|
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4968 if (name) { |
|
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4969 len = ngx_strlen(name); |
|
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4970 |
|
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4971 s->len = len; |
|
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4972 s->data = ngx_pnalloc(pool, len); |
|
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4973 if (s->data == NULL) { |
|
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4974 return NGX_ERROR; |
|
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4975 } |
|
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4976 |
|
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4977 ngx_memcpy(s->data, name, len); |
|
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4978 |
|
5658
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4979 return NGX_OK; |
|
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4980 } |
|
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4981 |
|
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4982 #endif |
|
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4983 |
|
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4984 s->len = 0; |
|
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4985 return NGX_OK; |
|
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4986 } |
|
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4987 |
|
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4988 |
|
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4989 ngx_int_t |
|
7935
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
4990 ngx_ssl_get_alpn_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
4991 { |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
4992 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
4993 |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
4994 unsigned int len; |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
4995 const unsigned char *data; |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
4996 |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
4997 SSL_get0_alpn_selected(c->ssl->connection, &data, &len); |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
4998 |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
4999 if (len > 0) { |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5000 |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5001 s->data = ngx_pnalloc(pool, len); |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5002 if (s->data == NULL) { |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5003 return NGX_ERROR; |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5004 } |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5005 |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5006 ngx_memcpy(s->data, data, len); |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5007 s->len = len; |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5008 |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5009 return NGX_OK; |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5010 } |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5011 |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5012 #endif |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5013 |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5014 s->len = 0; |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5015 return NGX_OK; |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5016 } |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5017 |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5018 |
|
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
7901
diff
changeset
|
5019 ngx_int_t |
| 2123 | 5020 ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
| 2045 | 5021 { |
| 5022 size_t len; | |
| 5023 BIO *bio; | |
| 5024 X509 *cert; | |
| 5025 | |
| 5026 s->len = 0; | |
| 5027 | |
| 5028 cert = SSL_get_peer_certificate(c->ssl->connection); | |
| 5029 if (cert == NULL) { | |
| 5030 return NGX_OK; | |
| 5031 } | |
| 5032 | |
| 5033 bio = BIO_new(BIO_s_mem()); | |
| 5034 if (bio == NULL) { | |
| 5035 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); | |
| 5036 X509_free(cert); | |
| 5037 return NGX_ERROR; | |
| 5038 } | |
| 5039 | |
| 5040 if (PEM_write_bio_X509(bio, cert) == 0) { | |
| 5041 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed"); | |
| 5042 goto failed; | |
| 5043 } | |
| 5044 | |
| 5045 len = BIO_pending(bio); | |
| 5046 s->len = len; | |
| 5047 | |
| 2049 | 5048 s->data = ngx_pnalloc(pool, len); |
| 2045 | 5049 if (s->data == NULL) { |
| 5050 goto failed; | |
| 5051 } | |
| 5052 | |
| 5053 BIO_read(bio, s->data, len); | |
| 5054 | |
| 5055 BIO_free(bio); | |
| 5056 X509_free(cert); | |
| 5057 | |
| 5058 return NGX_OK; | |
| 5059 | |
| 5060 failed: | |
| 5061 | |
| 5062 BIO_free(bio); | |
| 5063 X509_free(cert); | |
| 5064 | |
| 5065 return NGX_ERROR; | |
| 5066 } | |
| 5067 | |
| 5068 | |
| 5069 ngx_int_t | |
| 2123 | 5070 ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
| 5071 { | |
| 5072 u_char *p; | |
| 5073 size_t len; | |
| 5074 ngx_uint_t i; | |
| 5075 ngx_str_t cert; | |
| 5076 | |
| 5077 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) { | |
| 5078 return NGX_ERROR; | |
| 5079 } | |
| 5080 | |
| 5081 if (cert.len == 0) { | |
| 5082 s->len = 0; | |
| 5083 return NGX_OK; | |
| 5084 } | |
| 5085 | |
| 5086 len = cert.len - 1; | |
| 5087 | |
| 5088 for (i = 0; i < cert.len - 1; i++) { | |
| 5089 if (cert.data[i] == LF) { | |
| 5090 len++; | |
| 5091 } | |
| 5092 } | |
| 5093 | |
| 5094 s->len = len; | |
| 5095 s->data = ngx_pnalloc(pool, len); | |
| 5096 if (s->data == NULL) { | |
| 5097 return NGX_ERROR; | |
| 5098 } | |
| 5099 | |
| 5100 p = s->data; | |
| 5101 | |
|
3002
bf0c7e58e016
fix memory corruption in $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents:
2997
diff
changeset
|
5102 for (i = 0; i < cert.len - 1; i++) { |
| 2123 | 5103 *p++ = cert.data[i]; |
| 5104 if (cert.data[i] == LF) { | |
| 5105 *p++ = '\t'; | |
| 5106 } | |
| 5107 } | |
| 5108 | |
| 5109 return NGX_OK; | |
| 5110 } | |
| 5111 | |
| 5112 | |
| 5113 ngx_int_t | |
|
7091
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5114 ngx_ssl_get_escaped_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5115 ngx_str_t *s) |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5116 { |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5117 ngx_str_t cert; |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5118 uintptr_t n; |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5119 |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5120 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) { |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5121 return NGX_ERROR; |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5122 } |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5123 |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5124 if (cert.len == 0) { |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5125 s->len = 0; |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5126 return NGX_OK; |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5127 } |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5128 |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5129 n = ngx_escape_uri(NULL, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT); |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5130 |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5131 s->len = cert.len + n * 2; |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5132 s->data = ngx_pnalloc(pool, s->len); |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5133 if (s->data == NULL) { |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5134 return NGX_ERROR; |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5135 } |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5136 |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5137 ngx_escape_uri(s->data, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT); |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5138 |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5139 return NGX_OK; |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5140 } |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5141 |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5142 |
|
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5143 ngx_int_t |
| 647 | 5144 ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
| 5145 { | |
|
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5146 BIO *bio; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5147 X509 *cert; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5148 X509_NAME *name; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5149 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5150 s->len = 0; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5151 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5152 cert = SSL_get_peer_certificate(c->ssl->connection); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5153 if (cert == NULL) { |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5154 return NGX_OK; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5155 } |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5156 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5157 name = X509_get_subject_name(cert); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5158 if (name == NULL) { |
|
7484
65074e13f171
SSL: missing free calls in $ssl_client_s_dn and $ssl_client_i_dn.
Nikolay Morozov <n.morozov@securitycode.ru>
parents:
7477
diff
changeset
|
5159 X509_free(cert); |
|
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5160 return NGX_ERROR; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5161 } |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5162 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5163 bio = BIO_new(BIO_s_mem()); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5164 if (bio == NULL) { |
|
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5165 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
|
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5166 X509_free(cert); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5167 return NGX_ERROR; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5168 } |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5169 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5170 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) { |
|
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5171 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_print_ex() failed"); |
|
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5172 goto failed; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5173 } |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5174 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5175 s->len = BIO_pending(bio); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5176 s->data = ngx_pnalloc(pool, s->len); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5177 if (s->data == NULL) { |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5178 goto failed; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5179 } |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5180 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5181 BIO_read(bio, s->data, s->len); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5182 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5183 BIO_free(bio); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5184 X509_free(cert); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5185 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5186 return NGX_OK; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5187 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5188 failed: |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5189 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5190 BIO_free(bio); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5191 X509_free(cert); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5192 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5193 return NGX_ERROR; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5194 } |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5195 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5196 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5197 ngx_int_t |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5198 ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5199 { |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5200 BIO *bio; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5201 X509 *cert; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5202 X509_NAME *name; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5203 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5204 s->len = 0; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5205 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5206 cert = SSL_get_peer_certificate(c->ssl->connection); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5207 if (cert == NULL) { |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5208 return NGX_OK; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5209 } |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5210 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5211 name = X509_get_issuer_name(cert); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5212 if (name == NULL) { |
|
7484
65074e13f171
SSL: missing free calls in $ssl_client_s_dn and $ssl_client_i_dn.
Nikolay Morozov <n.morozov@securitycode.ru>
parents:
7477
diff
changeset
|
5213 X509_free(cert); |
|
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5214 return NGX_ERROR; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5215 } |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5216 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5217 bio = BIO_new(BIO_s_mem()); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5218 if (bio == NULL) { |
|
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5219 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
|
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5220 X509_free(cert); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5221 return NGX_ERROR; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5222 } |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5223 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5224 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) { |
|
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5225 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_print_ex() failed"); |
|
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5226 goto failed; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5227 } |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5228 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5229 s->len = BIO_pending(bio); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5230 s->data = ngx_pnalloc(pool, s->len); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5231 if (s->data == NULL) { |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5232 goto failed; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5233 } |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5234 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5235 BIO_read(bio, s->data, s->len); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5236 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5237 BIO_free(bio); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5238 X509_free(cert); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5239 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5240 return NGX_OK; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5241 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5242 failed: |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5243 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5244 BIO_free(bio); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5245 X509_free(cert); |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5246 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5247 return NGX_ERROR; |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5248 } |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5249 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5250 |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5251 ngx_int_t |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5252 ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5253 ngx_str_t *s) |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5254 { |
| 647 | 5255 char *p; |
| 5256 size_t len; | |
| 5257 X509 *cert; | |
| 5258 X509_NAME *name; | |
| 5259 | |
| 5260 s->len = 0; | |
| 5261 | |
| 5262 cert = SSL_get_peer_certificate(c->ssl->connection); | |
| 5263 if (cert == NULL) { | |
| 5264 return NGX_OK; | |
| 5265 } | |
| 5266 | |
| 5267 name = X509_get_subject_name(cert); | |
| 5268 if (name == NULL) { | |
|
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5269 X509_free(cert); |
| 647 | 5270 return NGX_ERROR; |
| 5271 } | |
| 5272 | |
| 5273 p = X509_NAME_oneline(name, NULL, 0); | |
|
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5274 if (p == NULL) { |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5275 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_oneline() failed"); |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5276 X509_free(cert); |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5277 return NGX_ERROR; |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5278 } |
| 647 | 5279 |
| 5280 for (len = 0; p[len]; len++) { /* void */ } | |
| 5281 | |
| 5282 s->len = len; | |
| 2049 | 5283 s->data = ngx_pnalloc(pool, len); |
| 647 | 5284 if (s->data == NULL) { |
| 5285 OPENSSL_free(p); | |
|
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5286 X509_free(cert); |
| 647 | 5287 return NGX_ERROR; |
| 5288 } | |
| 5289 | |
| 5290 ngx_memcpy(s->data, p, len); | |
| 5291 | |
| 5292 OPENSSL_free(p); | |
|
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5293 X509_free(cert); |
| 647 | 5294 |
| 5295 return NGX_OK; | |
| 5296 } | |
| 5297 | |
| 5298 | |
| 5299 ngx_int_t | |
|
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5300 ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, |
|
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5301 ngx_str_t *s) |
| 647 | 5302 { |
| 5303 char *p; | |
| 5304 size_t len; | |
| 5305 X509 *cert; | |
| 5306 X509_NAME *name; | |
| 5307 | |
| 5308 s->len = 0; | |
| 5309 | |
| 5310 cert = SSL_get_peer_certificate(c->ssl->connection); | |
| 5311 if (cert == NULL) { | |
| 5312 return NGX_OK; | |
| 5313 } | |
| 5314 | |
| 5315 name = X509_get_issuer_name(cert); | |
| 5316 if (name == NULL) { | |
|
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5317 X509_free(cert); |
| 647 | 5318 return NGX_ERROR; |
| 5319 } | |
| 5320 | |
| 5321 p = X509_NAME_oneline(name, NULL, 0); | |
|
7779
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5322 if (p == NULL) { |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5323 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_oneline() failed"); |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5324 X509_free(cert); |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5325 return NGX_ERROR; |
|
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7751
diff
changeset
|
5326 } |
| 647 | 5327 |
| 5328 for (len = 0; p[len]; len++) { /* void */ } | |
| 5329 | |
| 5330 s->len = len; | |
| 2049 | 5331 s->data = ngx_pnalloc(pool, len); |
| 647 | 5332 if (s->data == NULL) { |
| 5333 OPENSSL_free(p); | |
|
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5334 X509_free(cert); |
| 647 | 5335 return NGX_ERROR; |
| 5336 } | |
| 5337 | |
| 5338 ngx_memcpy(s->data, p, len); | |
| 5339 | |
| 5340 OPENSSL_free(p); | |
|
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5341 X509_free(cert); |
| 647 | 5342 |
| 5343 return NGX_OK; | |
| 5344 } | |
| 5345 | |
| 5346 | |
| 671 | 5347 ngx_int_t |
| 5348 ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
| 5349 { | |
| 5350 size_t len; | |
| 5351 X509 *cert; | |
| 5352 BIO *bio; | |
| 5353 | |
| 5354 s->len = 0; | |
| 5355 | |
| 5356 cert = SSL_get_peer_certificate(c->ssl->connection); | |
| 5357 if (cert == NULL) { | |
| 5358 return NGX_OK; | |
| 5359 } | |
| 5360 | |
| 5361 bio = BIO_new(BIO_s_mem()); | |
| 5362 if (bio == NULL) { | |
|
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5363 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
|
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5364 X509_free(cert); |
| 671 | 5365 return NGX_ERROR; |
| 5366 } | |
| 5367 | |
| 5368 i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)); | |
| 5369 len = BIO_pending(bio); | |
| 5370 | |
| 5371 s->len = len; | |
| 2049 | 5372 s->data = ngx_pnalloc(pool, len); |
| 671 | 5373 if (s->data == NULL) { |
| 5374 BIO_free(bio); | |
|
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5375 X509_free(cert); |
| 671 | 5376 return NGX_ERROR; |
| 5377 } | |
| 5378 | |
| 5379 BIO_read(bio, s->data, len); | |
| 5380 BIO_free(bio); | |
|
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5381 X509_free(cert); |
| 671 | 5382 |
| 5383 return NGX_OK; | |
| 5384 } | |
| 5385 | |
| 5386 | |
| 2994 | 5387 ngx_int_t |
|
5700
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5388 ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5389 { |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5390 X509 *cert; |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5391 unsigned int len; |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5392 u_char buf[EVP_MAX_MD_SIZE]; |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5393 |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5394 s->len = 0; |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5395 |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5396 cert = SSL_get_peer_certificate(c->ssl->connection); |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5397 if (cert == NULL) { |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5398 return NGX_OK; |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5399 } |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5400 |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5401 if (!X509_digest(cert, EVP_sha1(), buf, &len)) { |
|
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5402 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_digest() failed"); |
|
5700
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5403 X509_free(cert); |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5404 return NGX_ERROR; |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5405 } |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5406 |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5407 s->len = 2 * len; |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5408 s->data = ngx_pnalloc(pool, 2 * len); |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5409 if (s->data == NULL) { |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5410 X509_free(cert); |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5411 return NGX_ERROR; |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5412 } |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5413 |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5414 ngx_hex_dump(s->data, buf, len); |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5415 |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5416 X509_free(cert); |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5417 |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5418 return NGX_OK; |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5419 } |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5420 |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5421 |
|
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5422 ngx_int_t |
| 2994 | 5423 ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
| 5424 { | |
|
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5425 X509 *cert; |
|
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5426 long rc; |
|
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5427 const char *str; |
| 2994 | 5428 |
| 5429 cert = SSL_get_peer_certificate(c->ssl->connection); | |
|
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5430 if (cert == NULL) { |
|
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3488
diff
changeset
|
5431 ngx_str_set(s, "NONE"); |
|
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5432 return NGX_OK; |
| 2994 | 5433 } |
| 5434 | |
| 5435 X509_free(cert); | |
| 5436 | |
|
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5437 rc = SSL_get_verify_result(c->ssl->connection); |
|
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5438 |
|
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5439 if (rc == X509_V_OK) { |
|
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5440 if (ngx_ssl_ocsp_get_status(c, &str) == NGX_OK) { |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5441 ngx_str_set(s, "SUCCESS"); |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5442 return NGX_OK; |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5443 } |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5444 |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5445 } else { |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5446 str = X509_verify_cert_error_string(rc); |
|
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5447 } |
|
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5448 |
|
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5449 s->data = ngx_pnalloc(pool, sizeof("FAILED:") - 1 + ngx_strlen(str)); |
|
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5450 if (s->data == NULL) { |
|
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5451 return NGX_ERROR; |
|
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5452 } |
|
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5453 |
|
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5454 s->len = ngx_sprintf(s->data, "FAILED:%s", str) - s->data; |
|
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5455 |
| 2994 | 5456 return NGX_OK; |
| 5457 } | |
| 5458 | |
| 5459 | |
|
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5460 ngx_int_t |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5461 ngx_ssl_get_client_v_start(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5462 { |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5463 BIO *bio; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5464 X509 *cert; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5465 size_t len; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5466 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5467 s->len = 0; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5468 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5469 cert = SSL_get_peer_certificate(c->ssl->connection); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5470 if (cert == NULL) { |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5471 return NGX_OK; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5472 } |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5473 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5474 bio = BIO_new(BIO_s_mem()); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5475 if (bio == NULL) { |
|
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5476 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
|
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5477 X509_free(cert); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5478 return NGX_ERROR; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5479 } |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5480 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5481 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5482 ASN1_TIME_print(bio, X509_get0_notBefore(cert)); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5483 #else |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5484 ASN1_TIME_print(bio, X509_get_notBefore(cert)); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5485 #endif |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5486 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5487 len = BIO_pending(bio); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5488 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5489 s->len = len; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5490 s->data = ngx_pnalloc(pool, len); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5491 if (s->data == NULL) { |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5492 BIO_free(bio); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5493 X509_free(cert); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5494 return NGX_ERROR; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5495 } |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5496 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5497 BIO_read(bio, s->data, len); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5498 BIO_free(bio); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5499 X509_free(cert); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5500 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5501 return NGX_OK; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5502 } |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5503 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5504 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5505 ngx_int_t |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5506 ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5507 { |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5508 BIO *bio; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5509 X509 *cert; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5510 size_t len; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5511 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5512 s->len = 0; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5513 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5514 cert = SSL_get_peer_certificate(c->ssl->connection); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5515 if (cert == NULL) { |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5516 return NGX_OK; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5517 } |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5518 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5519 bio = BIO_new(BIO_s_mem()); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5520 if (bio == NULL) { |
|
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5521 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
|
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5522 X509_free(cert); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5523 return NGX_ERROR; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5524 } |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5525 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5526 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5527 ASN1_TIME_print(bio, X509_get0_notAfter(cert)); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5528 #else |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5529 ASN1_TIME_print(bio, X509_get_notAfter(cert)); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5530 #endif |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5531 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5532 len = BIO_pending(bio); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5533 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5534 s->len = len; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5535 s->data = ngx_pnalloc(pool, len); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5536 if (s->data == NULL) { |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5537 BIO_free(bio); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5538 X509_free(cert); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5539 return NGX_ERROR; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5540 } |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5541 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5542 BIO_read(bio, s->data, len); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5543 BIO_free(bio); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5544 X509_free(cert); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5545 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5546 return NGX_OK; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5547 } |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5548 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5549 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5550 ngx_int_t |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5551 ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5552 { |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5553 X509 *cert; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5554 time_t now, end; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5555 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5556 s->len = 0; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5557 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5558 cert = SSL_get_peer_certificate(c->ssl->connection); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5559 if (cert == NULL) { |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5560 return NGX_OK; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5561 } |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5562 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5563 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
|
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5564 end = ngx_ssl_parse_time(X509_get0_notAfter(cert), c->log); |
|
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5565 #else |
|
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5566 end = ngx_ssl_parse_time(X509_get_notAfter(cert), c->log); |
|
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5567 #endif |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5568 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5569 if (end == (time_t) NGX_ERROR) { |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5570 X509_free(cert); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5571 return NGX_OK; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5572 } |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5573 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5574 now = ngx_time(); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5575 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5576 if (end < now + 86400) { |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5577 ngx_str_set(s, "0"); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5578 X509_free(cert); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5579 return NGX_OK; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5580 } |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5581 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5582 s->data = ngx_pnalloc(pool, NGX_TIME_T_LEN); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5583 if (s->data == NULL) { |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5584 X509_free(cert); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5585 return NGX_ERROR; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5586 } |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5587 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5588 s->len = ngx_sprintf(s->data, "%T", (end - now) / 86400) - s->data; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5589 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5590 X509_free(cert); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5591 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5592 return NGX_OK; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5593 } |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5594 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5595 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5596 static time_t |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5597 ngx_ssl_parse_time( |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5598 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5599 const |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5600 #endif |
|
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5601 ASN1_TIME *asn1time, ngx_log_t *log) |
|
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5602 { |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5603 BIO *bio; |
|
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5604 char *value; |
|
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5605 size_t len; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5606 time_t time; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5607 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5608 /* |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5609 * OpenSSL doesn't provide a way to convert ASN1_TIME |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5610 * into time_t. To do this, we use ASN1_TIME_print(), |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5611 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g., |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5612 * "Feb 3 00:55:52 2015 GMT"), and parse the result. |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5613 */ |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5614 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5615 bio = BIO_new(BIO_s_mem()); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5616 if (bio == NULL) { |
|
7780
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7779
diff
changeset
|
5617 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "BIO_new() failed"); |
|
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5618 return NGX_ERROR; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5619 } |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5620 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5621 /* fake weekday prepended to match C asctime() format */ |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5622 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5623 BIO_write(bio, "Tue ", sizeof("Tue ") - 1); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5624 ASN1_TIME_print(bio, asn1time); |
|
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5625 len = BIO_get_mem_data(bio, &value); |
|
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5626 |
|
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5627 time = ngx_parse_http_time((u_char *) value, len); |
|
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5628 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5629 BIO_free(bio); |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5630 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5631 return time; |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5632 } |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5633 |
|
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5634 |
| 541 | 5635 static void * |
| 5636 ngx_openssl_create_conf(ngx_cycle_t *cycle) | |
| 5637 { | |
| 5638 ngx_openssl_conf_t *oscf; | |
| 577 | 5639 |
| 541 | 5640 oscf = ngx_pcalloc(cycle->pool, sizeof(ngx_openssl_conf_t)); |
| 5641 if (oscf == NULL) { | |
|
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2764
diff
changeset
|
5642 return NULL; |
| 541 | 5643 } |
| 577 | 5644 |
| 541 | 5645 /* |
| 5646 * set by ngx_pcalloc(): | |
| 577 | 5647 * |
|
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5648 * oscf->engine = 0; |
| 577 | 5649 */ |
| 541 | 5650 |
| 5651 return oscf; | |
| 5652 } | |
| 5653 | |
| 5654 | |
| 5655 static char * | |
|
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5656 ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
| 541 | 5657 { |
|
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5658 #ifndef OPENSSL_NO_ENGINE |
|
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5659 |
| 541 | 5660 ngx_openssl_conf_t *oscf = conf; |
| 571 | 5661 |
|
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5662 ENGINE *engine; |
|
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5663 ngx_str_t *value; |
|
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5664 |
|
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5665 if (oscf->engine) { |
|
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5666 return "is duplicate"; |
| 541 | 5667 } |
| 577 | 5668 |
|
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5669 oscf->engine = 1; |
|
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5670 |
|
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5671 value = cf->args->elts; |
|
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5672 |
| 6552 | 5673 engine = ENGINE_by_id((char *) value[1].data); |
| 541 | 5674 |
| 5675 if (engine == NULL) { | |
|
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6687
diff
changeset
|
5676 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
|
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5677 "ENGINE_by_id(\"%V\") failed", &value[1]); |
| 541 | 5678 return NGX_CONF_ERROR; |
| 5679 } | |
| 5680 | |
| 5681 if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) { | |
|
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6687
diff
changeset
|
5682 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
| 541 | 5683 "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed", |
|
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5684 &value[1]); |
|
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5685 |
|
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5686 ENGINE_free(engine); |
|
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5687 |
| 541 | 5688 return NGX_CONF_ERROR; |
| 5689 } | |
| 5690 | |
| 5691 ENGINE_free(engine); | |
| 5692 | |
| 5693 return NGX_CONF_OK; | |
|
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5694 |
|
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5695 #else |
|
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5696 |
|
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5697 return "is not supported"; |
|
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5698 |
|
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5699 #endif |
|
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5700 } |
| 571 | 5701 |
| 5702 | |
| 5703 static void | |
| 5704 ngx_openssl_exit(ngx_cycle_t *cycle) | |
| 5705 { | |
|
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
5706 #if OPENSSL_VERSION_NUMBER < 0x10100003L |
|
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
5707 |
|
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
5708 EVP_cleanup(); |
|
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5709 #ifndef OPENSSL_NO_ENGINE |
| 571 | 5710 ENGINE_cleanup(); |
|
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5711 #endif |
|
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
5712 |
|
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
5713 #endif |
| 571 | 5714 } |