nginx: src/event/ngx_event_openssl.c annotate

annotate src/event/ngx_event_openssl.c @ 7372:ed8738b1c7c4

SSL: explicitly set maximum version (ticket #1654). With maximum version explicitly set, TLSv1.3 will not be unexpectedly enabled if nginx compiled with OpenSSL 1.1.0 (without TLSv1.3 support) will be run with OpenSSL 1.1.1 (with TLSv1.3 support).

author	Maxim Dounin <mdounin@mdounin.ru>
date	Tue, 23 Oct 2018 22:11:48 +0300
parents	cd4fa2fab8d8
children	9ca82f273967

rev	line source
441 da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 399 diff changeset	1
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 399 diff changeset	2 /*
444 42d11f017717 nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright Igor Sysoev <igor@sysoev.ru> parents: 441 diff changeset	3 * Copyright (C) Igor Sysoev
4412 d620f497c50f Copyright updated. Maxim Konovalov <maxim@nginx.com> parents: 4400 diff changeset	4 * Copyright (C) Nginx, Inc.
441 da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 399 diff changeset	5 */
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 399 diff changeset	6
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	7
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	8 #include <ngx_config.h>
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	9 #include <ngx_core.h>
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	10 #include <ngx_event.h>
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	11
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	12
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	13 #define NGX_SSL_PASSWORD_BUFFER_SIZE 4096
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	14
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	15
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	16 typedef struct {
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	17 ngx_uint_t engine; /* unsigned engine:1; */
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	18 } ngx_openssl_conf_t;
479 c52408583801 nginx-0.1.14-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 473 diff changeset	19
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	20
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	21 static int ngx_ssl_password_callback(char *buf, int size, int rwflag,
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	22 void *userdata);
5222 23a186e8ca45 Style: remove unnecessary references to HTTP from non-HTTP modules. Piotr Sikora <piotr@cloudflare.com> parents: 5081 diff changeset	23 static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	24 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	25 int ret);
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	26 static void ngx_ssl_passwords_cleanup(void *data);
7320 696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	27 static int ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn,
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	28 ngx_ssl_session_t *sess);
7357 548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	29 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	30 static ngx_int_t ngx_ssl_try_early_data(ngx_connection_t *c);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	31 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	32 #if (NGX_DEBUG)
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	33 static void ngx_ssl_handshake_log(ngx_connection_t *c);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	34 #endif
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	35 static void ngx_ssl_handshake_handler(ngx_event_t *ev);
7357 548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	36 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	37 static ssize_t ngx_ssl_recv_early(ngx_connection_t c, u_char buf,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	38 size_t size);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	39 #endif
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	40 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	41 static void ngx_ssl_write_handler(ngx_event_t *wev);
7357 548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	42 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	43 static ssize_t ngx_ssl_write_early(ngx_connection_t c, u_char data,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	44 size_t size);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	45 #endif
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	46 static void ngx_ssl_read_handler(ngx_event_t *rev);
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	47 static void ngx_ssl_shutdown_handler(ngx_event_t *ev);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	48 static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr,
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	49 ngx_err_t err, char *text);
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	50 static void ngx_ssl_clear_error(ngx_log_t *log);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	51
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	52 static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl,
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	53 ngx_str_t *sess_ctx);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	54 static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	55 ngx_ssl_session_t *sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	56 static ngx_ssl_session_t ngx_ssl_get_cached_session(ngx_ssl_conn_t ssl_conn,
6487 9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	57 #if OPENSSL_VERSION_NUMBER >= 0x10100003L
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	58 const
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	59 #endif
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	60 u_char id, int len, int copy);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	61 static void ngx_ssl_remove_session(SSL_CTX ssl, ngx_ssl_session_t sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	62 static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	63 ngx_slab_pool_t *shpool, ngx_uint_t n);
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	64 static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	65 ngx_rbtree_node_t node, ngx_rbtree_node_t sentinel);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	66
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	67 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	68 static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	69 unsigned char name, unsigned char iv, EVP_CIPHER_CTX *ectx,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	70 HMAC_CTX *hctx, int enc);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	71 #endif
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	72
6725 9b9ae81cd4f0 SSL: use X509_check_host() with LibreSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 6699 diff changeset	73 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
5661 060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	74 static ngx_int_t ngx_ssl_check_name(ngx_str_t name, ASN1_STRING str);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	75 #endif
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	76
6815 2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	77 static time_t ngx_ssl_parse_time(
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	78 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	79 const
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	80 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	81 ASN1_TIME *asn1time);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	82
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	83 static void ngx_openssl_create_conf(ngx_cycle_t cycle);
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	84 static char ngx_openssl_engine(ngx_conf_t cf, ngx_command_t cmd, void conf);
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	85 static void ngx_openssl_exit(ngx_cycle_t *cycle);
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	86
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	87
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	88 static ngx_command_t ngx_openssl_commands[] = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	89
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	90 { ngx_string("ssl_engine"),
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	91 NGX_MAIN_CONF\|NGX_DIRECT_CONF\|NGX_CONF_TAKE1,
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	92 ngx_openssl_engine,
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	93 0,
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	94 0,
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	95 NULL },
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	96
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	97 ngx_null_command
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	98 };
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	99
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	100
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	101 static ngx_core_module_t ngx_openssl_module_ctx = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	102 ngx_string("openssl"),
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	103 ngx_openssl_create_conf,
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	104 NULL
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	105 };
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	106
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	107
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	108 ngx_module_t ngx_openssl_module = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	109 NGX_MODULE_V1,
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	110 &ngx_openssl_module_ctx, /* module context */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	111 ngx_openssl_commands, /* module directives */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	112 NGX_CORE_MODULE, /* module type */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	113 NULL, /* init master */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	114 NULL, /* init module */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	115 NULL, /* init process */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	116 NULL, /* init thread */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	117 NULL, /* exit thread */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	118 NULL, /* exit process */
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	119 ngx_openssl_exit, /* exit master */
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	120 NGX_MODULE_V1_PADDING
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	121 };
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	122
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	123
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	124 int ngx_ssl_connection_index;
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	125 int ngx_ssl_server_conf_index;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	126 int ngx_ssl_session_cache_index;
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	127 int ngx_ssl_session_ticket_keys_index;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	128 int ngx_ssl_certificate_index;
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	129 int ngx_ssl_next_certificate_index;
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	130 int ngx_ssl_certificate_name_index;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	131 int ngx_ssl_stapling_index;
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	132
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	133
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	134 ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	135 ngx_ssl_init(ngx_log_t *log)
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	136 {
6488 a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	137 #if OPENSSL_VERSION_NUMBER >= 0x10100003L
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	138
6902 5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	139 if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) == 0) {
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	140 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed");
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	141 return NGX_ERROR;
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	142 }
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	143
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	144 /*
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	145 * OPENSSL_init_ssl() may leave errors in the error queue
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	146 * while returning success
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	147 */
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	148
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	149 ERR_clear_error();
6488 a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	150
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	151 #else
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	152
968 1b60ecc8cdb7 OPENSSL_config() Igor Sysoev <igor@sysoev.ru> parents: 671 diff changeset	153 OPENSSL_config(NULL);
1b60ecc8cdb7 OPENSSL_config() Igor Sysoev <igor@sysoev.ru> parents: 671 diff changeset	154
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	155 SSL_library_init();
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	156 SSL_load_error_strings();
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	157
3464 7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error Igor Sysoev <igor@sysoev.ru> parents: 3457 diff changeset	158 OpenSSL_add_all_algorithms();
7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error Igor Sysoev <igor@sysoev.ru> parents: 3457 diff changeset	159
6488 a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	160 #endif
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	161
4868 22a6ef66b6f5 SSL: added version checks for ssl compression workaround. Maxim Dounin <mdounin@mdounin.ru> parents: 4867 diff changeset	162 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
4696 b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	163 #ifndef SSL_OP_NO_COMPRESSION
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	164 {
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	165 /*
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	166 * Disable gzip compression in OpenSSL prior to 1.0.0 version,
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	167 * this saves about 522K per connection.
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	168 */
4867 90bbf2adb2c9 SSL: fixed compression workaround to remove all methods. Maxim Dounin <mdounin@mdounin.ru> parents: 4696 diff changeset	169 int n;
4696 b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	170 STACK_OF(SSL_COMP) *ssl_comp_methods;
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	171
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	172 ssl_comp_methods = SSL_COMP_get_compression_methods();
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	173 n = sk_SSL_COMP_num(ssl_comp_methods);
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	174
4867 90bbf2adb2c9 SSL: fixed compression workaround to remove all methods. Maxim Dounin <mdounin@mdounin.ru> parents: 4696 diff changeset	175 while (n--) {
90bbf2adb2c9 SSL: fixed compression workaround to remove all methods. Maxim Dounin <mdounin@mdounin.ru> parents: 4696 diff changeset	176 (void) sk_SSL_COMP_pop(ssl_comp_methods);
4696 b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	177 }
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	178 }
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	179 #endif
4868 22a6ef66b6f5 SSL: added version checks for ssl compression workaround. Maxim Dounin <mdounin@mdounin.ru> parents: 4867 diff changeset	180 #endif
4696 b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	181
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	182 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	183
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	184 if (ngx_ssl_connection_index == -1) {
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	185 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed");
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	186 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	187 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	188
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	189 ngx_ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	190 NULL);
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	191 if (ngx_ssl_server_conf_index == -1) {
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	192 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	193 "SSL_CTX_get_ex_new_index() failed");
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	194 return NGX_ERROR;
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	195 }
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	196
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	197 ngx_ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	198 NULL);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	199 if (ngx_ssl_session_cache_index == -1) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	200 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	201 "SSL_CTX_get_ex_new_index() failed");
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	202 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	203 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	204
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	205 ngx_ssl_session_ticket_keys_index = SSL_CTX_get_ex_new_index(0, NULL, NULL,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	206 NULL, NULL);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	207 if (ngx_ssl_session_ticket_keys_index == -1) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	208 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	209 "SSL_CTX_get_ex_new_index() failed");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	210 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	211 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	212
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	213 ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	214 NULL);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	215 if (ngx_ssl_certificate_index == -1) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	216 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	217 "SSL_CTX_get_ex_new_index() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	218 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	219 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	220
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	221 ngx_ssl_next_certificate_index = X509_get_ex_new_index(0, NULL, NULL, NULL,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	222 NULL);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	223 if (ngx_ssl_next_certificate_index == -1) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	224 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	225 return NGX_ERROR;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	226 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	227
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	228 ngx_ssl_certificate_name_index = X509_get_ex_new_index(0, NULL, NULL, NULL,
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	229 NULL);
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	230
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	231 if (ngx_ssl_certificate_name_index == -1) {
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	232 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	233 return NGX_ERROR;
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	234 }
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	235
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6490 diff changeset	236 ngx_ssl_stapling_index = X509_get_ex_new_index(0, NULL, NULL, NULL, NULL);
a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6490 diff changeset	237
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	238 if (ngx_ssl_stapling_index == -1) {
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6490 diff changeset	239 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	240 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	241 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	242
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	243 return NGX_OK;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	244 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	245
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	246
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	247 ngx_int_t
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	248 ngx_ssl_create(ngx_ssl_t ssl, ngx_uint_t protocols, void data)
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	249 {
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	250 ssl->ctx = SSL_CTX_new(SSLv23_method());
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	251
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	252 if (ssl->ctx == NULL) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	253 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed");
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	254 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	255 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	256
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	257 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) {
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	258 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	259 "SSL_CTX_set_ex_data() failed");
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	260 return NGX_ERROR;
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	261 }
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	262
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	263 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, NULL) == 0) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	264 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	265 "SSL_CTX_set_ex_data() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	266 return NGX_ERROR;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	267 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	268
5487 a297b7ad6f94 SSL: ssl_buffer_size directive. Maxim Dounin <mdounin@mdounin.ru> parents: 5450 diff changeset	269 ssl->buffer_size = NGX_SSL_BUFSIZE;
a297b7ad6f94 SSL: ssl_buffer_size directive. Maxim Dounin <mdounin@mdounin.ru> parents: 5450 diff changeset	270
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	271 /* client side options */
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	272
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	273 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	274 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	275 #endif
275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	276
275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	277 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	278 SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	279 #endif
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	280
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	281 /* server side options */
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	282
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	283 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	284 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	285 #endif
275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	286
275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	287 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	288 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	289 #endif
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	290
5378 a73678f5f96f SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING. Piotr Sikora <piotr@cloudflare.com> parents: 5365 diff changeset	291 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	292 /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	293 SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
5378 a73678f5f96f SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING. Piotr Sikora <piotr@cloudflare.com> parents: 5365 diff changeset	294 #endif
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	295
5778 45ed2f1f0a6a SSL: let it build against BoringSSL. Piotr Sikora <piotr@cloudflare.com> parents: 5777 diff changeset	296 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	297 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
5778 45ed2f1f0a6a SSL: let it build against BoringSSL. Piotr Sikora <piotr@cloudflare.com> parents: 5777 diff changeset	298 #endif
45ed2f1f0a6a SSL: let it build against BoringSSL. Piotr Sikora <piotr@cloudflare.com> parents: 5777 diff changeset	299
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	300 #ifdef SSL_OP_TLS_D5_BUG
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	301 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	302 #endif
275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	303
275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	304 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	305 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	306 #endif
275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	307
275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	308 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	309 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	310 #endif
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	311
2044 f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	312 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	313
7318 3443fe40bdc7 SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+. Maxim Dounin <mdounin@mdounin.ru> parents: 7317 diff changeset	314 #if OPENSSL_VERSION_NUMBER >= 0x009080dfL
6034 3e847964ab55 SSL: clear protocol options. Maxim Dounin <mdounin@mdounin.ru> parents: 5986 diff changeset	315 /* only in 0.9.8m+ */
3e847964ab55 SSL: clear protocol options. Maxim Dounin <mdounin@mdounin.ru> parents: 5986 diff changeset	316 SSL_CTX_clear_options(ssl->ctx,
3e847964ab55 SSL: clear protocol options. Maxim Dounin <mdounin@mdounin.ru> parents: 5986 diff changeset	317 SSL_OP_NO_SSLv2\|SSL_OP_NO_SSLv3\|SSL_OP_NO_TLSv1);
3e847964ab55 SSL: clear protocol options. Maxim Dounin <mdounin@mdounin.ru> parents: 5986 diff changeset	318 #endif
3e847964ab55 SSL: clear protocol options. Maxim Dounin <mdounin@mdounin.ru> parents: 5986 diff changeset	319
4400 a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	320 if (!(protocols & NGX_SSL_SSLv2)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	321 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	322 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	323 if (!(protocols & NGX_SSL_SSLv3)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	324 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	325 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	326 if (!(protocols & NGX_SSL_TLSv1)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	327 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	328 }
4400 a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	329 #ifdef SSL_OP_NO_TLSv1_1
6034 3e847964ab55 SSL: clear protocol options. Maxim Dounin <mdounin@mdounin.ru> parents: 5986 diff changeset	330 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
4400 a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	331 if (!(protocols & NGX_SSL_TLSv1_1)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	332 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	333 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	334 #endif
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	335 #ifdef SSL_OP_NO_TLSv1_2
6034 3e847964ab55 SSL: clear protocol options. Maxim Dounin <mdounin@mdounin.ru> parents: 5986 diff changeset	336 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
4400 a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	337 if (!(protocols & NGX_SSL_TLSv1_2)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	338 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	339 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	340 #endif
6981 08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive. Sergey Kandaurov <pluknet@nginx.com> parents: 6902 diff changeset	341 #ifdef SSL_OP_NO_TLSv1_3
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive. Sergey Kandaurov <pluknet@nginx.com> parents: 6902 diff changeset	342 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive. Sergey Kandaurov <pluknet@nginx.com> parents: 6902 diff changeset	343 if (!(protocols & NGX_SSL_TLSv1_3)) {
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive. Sergey Kandaurov <pluknet@nginx.com> parents: 6902 diff changeset	344 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive. Sergey Kandaurov <pluknet@nginx.com> parents: 6902 diff changeset	345 }
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive. Sergey Kandaurov <pluknet@nginx.com> parents: 6902 diff changeset	346 #endif
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	347
7372 ed8738b1c7c4 SSL: explicitly set maximum version (ticket #1654). Maxim Dounin <mdounin@mdounin.ru> parents: 7365 diff changeset	348 #ifdef SSL_CTX_set_min_proto_version
ed8738b1c7c4 SSL: explicitly set maximum version (ticket #1654). Maxim Dounin <mdounin@mdounin.ru> parents: 7365 diff changeset	349 SSL_CTX_set_min_proto_version(ssl->ctx, 0);
ed8738b1c7c4 SSL: explicitly set maximum version (ticket #1654). Maxim Dounin <mdounin@mdounin.ru> parents: 7365 diff changeset	350 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
ed8738b1c7c4 SSL: explicitly set maximum version (ticket #1654). Maxim Dounin <mdounin@mdounin.ru> parents: 7365 diff changeset	351 #endif
ed8738b1c7c4 SSL: explicitly set maximum version (ticket #1654). Maxim Dounin <mdounin@mdounin.ru> parents: 7365 diff changeset	352
7332 7ad0f4ace359 SSL: enabled TLSv1.3 with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7320 diff changeset	353 #ifdef TLS1_3_VERSION
7ad0f4ace359 SSL: enabled TLSv1.3 with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7320 diff changeset	354 SSL_CTX_set_min_proto_version(ssl->ctx, 0);
7ad0f4ace359 SSL: enabled TLSv1.3 with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7320 diff changeset	355 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
7ad0f4ace359 SSL: enabled TLSv1.3 with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7320 diff changeset	356 #endif
7ad0f4ace359 SSL: enabled TLSv1.3 with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7320 diff changeset	357
4185 6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection. Igor Sysoev <igor@sysoev.ru> parents: 4064 diff changeset	358 #ifdef SSL_OP_NO_COMPRESSION
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection. Igor Sysoev <igor@sysoev.ru> parents: 4064 diff changeset	359 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection. Igor Sysoev <igor@sysoev.ru> parents: 4064 diff changeset	360 #endif
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection. Igor Sysoev <igor@sysoev.ru> parents: 4064 diff changeset	361
7357 548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	362 #ifdef SSL_OP_NO_ANTI_REPLAY
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	363 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	364 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	365
4186 cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL Igor Sysoev <igor@sysoev.ru> parents: 4185 diff changeset	366 #ifdef SSL_MODE_RELEASE_BUFFERS
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL Igor Sysoev <igor@sysoev.ru> parents: 4185 diff changeset	367 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL Igor Sysoev <igor@sysoev.ru> parents: 4185 diff changeset	368 #endif
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL Igor Sysoev <igor@sysoev.ru> parents: 4185 diff changeset	369
6036 4e3f87c02cb4 SSL: use of SSL_MODE_NO_AUTO_CHAIN. Maxim Dounin <mdounin@mdounin.ru> parents: 6034 diff changeset	370 #ifdef SSL_MODE_NO_AUTO_CHAIN
4e3f87c02cb4 SSL: use of SSL_MODE_NO_AUTO_CHAIN. Maxim Dounin <mdounin@mdounin.ru> parents: 6034 diff changeset	371 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN);
4e3f87c02cb4 SSL: use of SSL_MODE_NO_AUTO_CHAIN. Maxim Dounin <mdounin@mdounin.ru> parents: 6034 diff changeset	372 #endif
4e3f87c02cb4 SSL: use of SSL_MODE_NO_AUTO_CHAIN. Maxim Dounin <mdounin@mdounin.ru> parents: 6034 diff changeset	373
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	374 SSL_CTX_set_read_ahead(ssl->ctx, 1);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	375
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	376 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	377
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	378 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	379 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	380
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	381
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	382 ngx_int_t
6550 51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	383 ngx_ssl_certificates(ngx_conf_t cf, ngx_ssl_t ssl, ngx_array_t *certs,
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	384 ngx_array_t keys, ngx_array_t passwords)
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	385 {
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	386 ngx_str_t cert, key;
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	387 ngx_uint_t i;
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	388
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	389 cert = certs->elts;
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	390 key = keys->elts;
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	391
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	392 for (i = 0; i < certs->nelts; i++) {
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	393
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	394 if (ngx_ssl_certificate(cf, ssl, &cert[i], &key[i], passwords)
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	395 != NGX_OK)
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	396 {
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	397 return NGX_ERROR;
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	398 }
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	399 }
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	400
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	401 return NGX_OK;
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	402 }
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	403
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	404
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	405 ngx_int_t
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	406 ngx_ssl_certificate(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *cert,
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	407 ngx_str_t key, ngx_array_t passwords)
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	408 {
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	409 BIO *bio;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	410 X509 *x509;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	411 u_long n;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	412 ngx_str_t *pwd;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	413 ngx_uint_t tries;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	414
5330 314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff. Maxim Dounin <mdounin@mdounin.ru> parents: 5317 diff changeset	415 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	416 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	417 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	418
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	419 /*
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	420 * we can't use SSL_CTX_use_certificate_chain_file() as it doesn't
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	421 * allow to access certificate later from SSL_CTX, so we reimplement
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	422 * it here
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	423 */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	424
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	425 bio = BIO_new_file((char *) cert->data, "r");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	426 if (bio == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	427 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	428 "BIO_new_file(\"%s\") failed", cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	429 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	430 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	431
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	432 x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	433 if (x509 == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	434 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	435 "PEM_read_bio_X509_AUX(\"%s\") failed", cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	436 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	437 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	438 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	439
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	440 if (SSL_CTX_use_certificate(ssl->ctx, x509) == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	441 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	442 "SSL_CTX_use_certificate(\"%s\") failed", cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	443 X509_free(x509);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	444 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	445 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	446 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	447
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	448 if (X509_set_ex_data(x509, ngx_ssl_certificate_name_index, cert->data)
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	449 == 0)
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	450 {
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	451 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	452 X509_free(x509);
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	453 BIO_free(bio);
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	454 return NGX_ERROR;
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	455 }
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	456
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	457 if (X509_set_ex_data(x509, ngx_ssl_next_certificate_index,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	458 SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index))
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	459 == 0)
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	460 {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	461 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	462 X509_free(x509);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	463 BIO_free(bio);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	464 return NGX_ERROR;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	465 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	466
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	467 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, x509)
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	468 == 0)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	469 {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	470 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	471 "SSL_CTX_set_ex_data() failed");
5384 cfbf1d1cc233 SSL: fixed possible memory and file descriptor leak on HUP signal. Piotr Sikora <piotr@cloudflare.com> parents: 5378 diff changeset	472 X509_free(x509);
cfbf1d1cc233 SSL: fixed possible memory and file descriptor leak on HUP signal. Piotr Sikora <piotr@cloudflare.com> parents: 5378 diff changeset	473 BIO_free(bio);
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	474 return NGX_ERROR;
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	475 }
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	476
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	477 /* read rest of the chain */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	478
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	479 for ( ;; ) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	480
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	481 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	482 if (x509 == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	483 n = ERR_peek_last_error();
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	484
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	485 if (ERR_GET_LIB(n) == ERR_LIB_PEM
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	486 && ERR_GET_REASON(n) == PEM_R_NO_START_LINE)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	487 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	488 /* end of file */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	489 ERR_clear_error();
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	490 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	491 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	492
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	493 /* some real error */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	494
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	495 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	496 "PEM_read_bio_X509(\"%s\") failed", cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	497 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	498 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	499 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	500
6549 d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	501 #ifdef SSL_CTRL_CHAIN_CERT
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	502
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	503 /*
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	504 * SSL_CTX_add0_chain_cert() is needed to add chain to
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	505 * a particular certificate when multiple certificates are used;
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	506 * only available in OpenSSL 1.0.2+
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	507 */
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	508
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	509 if (SSL_CTX_add0_chain_cert(ssl->ctx, x509) == 0) {
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	510 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	511 "SSL_CTX_add0_chain_cert(\"%s\") failed",
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	512 cert->data);
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	513 X509_free(x509);
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	514 BIO_free(bio);
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	515 return NGX_ERROR;
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	516 }
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	517
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	518 #else
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	519 if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	520 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	521 "SSL_CTX_add_extra_chain_cert(\"%s\") failed",
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	522 cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	523 X509_free(x509);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	524 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	525 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	526 }
6549 d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	527 #endif
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	528 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	529
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	530 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	531
5934 2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	532 if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	533
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	534 #ifndef OPENSSL_NO_ENGINE
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	535
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	536 u_char p, last;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	537 ENGINE *engine;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	538 EVP_PKEY *pkey;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	539
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	540 p = key->data + sizeof("engine:") - 1;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	541 last = (u_char *) ngx_strchr(p, ':');
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	542
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	543 if (last == NULL) {
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	544 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	545 "invalid syntax in \"%V\"", key);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	546 return NGX_ERROR;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	547 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	548
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	549 *last = '\0';
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	550
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	551 engine = ENGINE_by_id((char *) p);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	552
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	553 if (engine == NULL) {
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	554 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	555 "ENGINE_by_id(\"%s\") failed", p);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	556 return NGX_ERROR;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	557 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	558
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	559 *last++ = ':';
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	560
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	561 pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	562
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	563 if (pkey == NULL) {
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	564 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	565 "ENGINE_load_private_key(\"%s\") failed", last);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	566 ENGINE_free(engine);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	567 return NGX_ERROR;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	568 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	569
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	570 ENGINE_free(engine);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	571
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	572 if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	573 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	574 "SSL_CTX_use_PrivateKey(\"%s\") failed", last);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	575 EVP_PKEY_free(pkey);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	576 return NGX_ERROR;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	577 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	578
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	579 EVP_PKEY_free(pkey);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	580
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	581 return NGX_OK;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	582
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	583 #else
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	584
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	585 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	586 "loading \"engine:...\" certificate keys "
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	587 "is not supported");
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	588 return NGX_ERROR;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	589
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	590 #endif
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	591 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	592
5330 314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff. Maxim Dounin <mdounin@mdounin.ru> parents: 5317 diff changeset	593 if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	594 return NGX_ERROR;
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	595 }
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	596
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	597 if (passwords) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	598 tries = passwords->nelts;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	599 pwd = passwords->elts;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	600
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	601 SSL_CTX_set_default_passwd_cb(ssl->ctx, ngx_ssl_password_callback);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	602 SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, pwd);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	603
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	604 } else {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	605 tries = 1;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	606 #if (NGX_SUPPRESS_WARN)
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	607 pwd = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	608 #endif
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	609 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	610
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	611 for ( ;; ) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	612
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	613 if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data,
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	614 SSL_FILETYPE_PEM)
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	615 != 0)
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	616 {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	617 break;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	618 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	619
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	620 if (--tries) {
5892 42520df85ebb SSL: simplified ssl_password_file error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 5882 diff changeset	621 ERR_clear_error();
42520df85ebb SSL: simplified ssl_password_file error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 5882 diff changeset	622 SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, ++pwd);
42520df85ebb SSL: simplified ssl_password_file error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 5882 diff changeset	623 continue;
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	624 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	625
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	626 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	627 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	628 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	629 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	630
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	631 SSL_CTX_set_default_passwd_cb(ssl->ctx, NULL);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	632
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	633 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	634 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	635
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	636
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	637 static int
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	638 ngx_ssl_password_callback(char buf, int size, int rwflag, void userdata)
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	639 {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	640 ngx_str_t *pwd = userdata;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	641
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	642 if (rwflag) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	643 ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0,
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	644 "ngx_ssl_password_callback() is called for encryption");
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	645 return 0;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	646 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	647
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	648 if (pwd->len > (size_t) size) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	649 ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0,
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	650 "password is truncated to %d bytes", size);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	651 } else {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	652 size = pwd->len;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	653 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	654
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	655 ngx_memcpy(buf, pwd->data, size);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	656
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	657 return size;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	658 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	659
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	660
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	661 ngx_int_t
6591 04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	662 ngx_ssl_ciphers(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *ciphers,
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	663 ngx_uint_t prefer_server_ciphers)
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	664 {
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	665 if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) {
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	666 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	667 "SSL_CTX_set_cipher_list(\"%V\") failed",
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	668 ciphers);
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	669 return NGX_ERROR;
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	670 }
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	671
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	672 if (prefer_server_ciphers) {
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	673 SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	674 }
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	675
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	676 #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	677 /* a temporary 512-bit RSA key is required for export versions of MSIE */
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	678 SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback);
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	679 #endif
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	680
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	681 return NGX_OK;
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	682 }
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	683
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	684
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	685 ngx_int_t
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	686 ngx_ssl_client_certificate(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *cert,
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	687 ngx_int_t depth)
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	688 {
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	689 STACK_OF(X509_NAME) *list;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	690
5222 23a186e8ca45 Style: remove unnecessary references to HTTP from non-HTTP modules. Piotr Sikora <piotr@cloudflare.com> parents: 5081 diff changeset	691 SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	692
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	693 SSL_CTX_set_verify_depth(ssl->ctx, depth);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	694
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	695 if (cert->len == 0) {
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	696 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	697 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	698
5330 314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff. Maxim Dounin <mdounin@mdounin.ru> parents: 5317 diff changeset	699 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	700 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	701 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	702
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	703 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL)
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	704 == 0)
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	705 {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	706 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	707 "SSL_CTX_load_verify_locations(\"%s\") failed",
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	708 cert->data);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	709 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	710 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	711
5365 6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	712 /*
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	713 * SSL_CTX_load_verify_locations() may leave errors in the error queue
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	714 * while returning success
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	715 */
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	716
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	717 ERR_clear_error();
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	718
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	719 list = SSL_load_client_CA_file((char *) cert->data);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	720
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	721 if (list == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	722 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	723 "SSL_load_client_CA_file(\"%s\") failed", cert->data);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	724 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	725 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	726
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	727 /*
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	728 * before 0.9.7h and 0.9.8 SSL_load_client_CA_file()
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	729 * always leaved an error in the error queue
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	730 */
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	731
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	732 ERR_clear_error();
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	733
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	734 SSL_CTX_set_client_CA_list(ssl->ctx, list);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	735
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	736 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	737 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	738
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	739
2995 cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	740 ngx_int_t
4872 7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	741 ngx_ssl_trusted_certificate(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *cert,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	742 ngx_int_t depth)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	743 {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	744 SSL_CTX_set_verify_depth(ssl->ctx, depth);
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	745
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	746 if (cert->len == 0) {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	747 return NGX_OK;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	748 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	749
5330 314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff. Maxim Dounin <mdounin@mdounin.ru> parents: 5317 diff changeset	750 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
4872 7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	751 return NGX_ERROR;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	752 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	753
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	754 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	755 == 0)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	756 {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	757 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	758 "SSL_CTX_load_verify_locations(\"%s\") failed",
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	759 cert->data);
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	760 return NGX_ERROR;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	761 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	762
5365 6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	763 /*
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	764 * SSL_CTX_load_verify_locations() may leave errors in the error queue
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	765 * while returning success
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	766 */
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	767
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	768 ERR_clear_error();
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	769
4872 7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	770 return NGX_OK;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	771 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	772
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	773
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	774 ngx_int_t
2995 cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	775 ngx_ssl_crl(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *crl)
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	776 {
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	777 X509_STORE *store;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	778 X509_LOOKUP *lookup;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	779
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	780 if (crl->len == 0) {
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	781 return NGX_OK;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	782 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	783
5330 314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff. Maxim Dounin <mdounin@mdounin.ru> parents: 5317 diff changeset	784 if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) {
2995 cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	785 return NGX_ERROR;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	786 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	787
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	788 store = SSL_CTX_get_cert_store(ssl->ctx);
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	789
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	790 if (store == NULL) {
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	791 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	792 "SSL_CTX_get_cert_store() failed");
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	793 return NGX_ERROR;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	794 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	795
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	796 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	797
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	798 if (lookup == NULL) {
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	799 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	800 "X509_STORE_add_lookup() failed");
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	801 return NGX_ERROR;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	802 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	803
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	804 if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM)
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	805 == 0)
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	806 {
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	807 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	808 "X509_LOOKUP_load_file(\"%s\") failed", crl->data);
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	809 return NGX_ERROR;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	810 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	811
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	812 X509_STORE_set_flags(store,
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	813 X509_V_FLAG_CRL_CHECK\|X509_V_FLAG_CRL_CHECK_ALL);
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	814
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	815 return NGX_OK;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	816 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	817
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	818
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	819 static int
5222 23a186e8ca45 Style: remove unnecessary references to HTTP from non-HTTP modules. Piotr Sikora <piotr@cloudflare.com> parents: 5081 diff changeset	820 ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	821 {
1977 40c9cb8576bb get certificate info only for debug build Igor Sysoev <igor@sysoev.ru> parents: 1976 diff changeset	822 #if (NGX_DEBUG)
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	823 char subject, issuer;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	824 int err, depth;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	825 X509 *cert;
1976 c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	826 X509_NAME sname, iname;
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	827 ngx_connection_t *c;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	828 ngx_ssl_conn_t *ssl_conn;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	829
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	830 ssl_conn = X509_STORE_CTX_get_ex_data(x509_store,
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	831 SSL_get_ex_data_X509_STORE_CTX_idx());
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	832
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	833 c = ngx_ssl_get_connection(ssl_conn);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	834
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	835 cert = X509_STORE_CTX_get_current_cert(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	836 err = X509_STORE_CTX_get_error(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	837 depth = X509_STORE_CTX_get_error_depth(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	838
1976 c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	839 sname = X509_get_subject_name(cert);
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	840 subject = sname ? X509_NAME_oneline(sname, NULL, 0) : "(none)";
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	841
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	842 iname = X509_get_issuer_name(cert);
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	843 issuer = iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)";
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	844
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	845 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	846 "verify:%d, error:%d, depth:%d, "
5775 294d020bbcfe SSL: misplaced space in debug message. Maxim Dounin <mdounin@mdounin.ru> parents: 5767 diff changeset	847 "subject:\"%s\", issuer:\"%s\"",
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	848 ok, err, depth, subject, issuer);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	849
1976 c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	850 if (sname) {
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	851 OPENSSL_free(subject);
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	852 }
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	853
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	854 if (iname) {
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	855 OPENSSL_free(issuer);
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	856 }
1977 40c9cb8576bb get certificate info only for debug build Igor Sysoev <igor@sysoev.ru> parents: 1976 diff changeset	857 #endif
1976 c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	858
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	859 return 1;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	860 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	861
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	862
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	863 static void
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	864 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	865 {
5395 a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	866 BIO rbio, wbio;
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	867 ngx_connection_t *c;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	868
7356 e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION. Maxim Dounin <mdounin@mdounin.ru> parents: 7353 diff changeset	869 #ifndef SSL_OP_NO_RENEGOTIATION
e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION. Maxim Dounin <mdounin@mdounin.ru> parents: 7353 diff changeset	870
6982 ac9b1df5b246 SSL: disabled renegotiation detection in client mode. Sergey Kandaurov <pluknet@nginx.com> parents: 6981 diff changeset	871 if ((where & SSL_CB_HANDSHAKE_START)
ac9b1df5b246 SSL: disabled renegotiation detection in client mode. Sergey Kandaurov <pluknet@nginx.com> parents: 6981 diff changeset	872 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn))
ac9b1df5b246 SSL: disabled renegotiation detection in client mode. Sergey Kandaurov <pluknet@nginx.com> parents: 6981 diff changeset	873 {
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	874 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	875
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	876 if (c->ssl->handshaked) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	877 c->ssl->renegotiation = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	878 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	879 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	880 }
5395 a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	881
7356 e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION. Maxim Dounin <mdounin@mdounin.ru> parents: 7353 diff changeset	882 #endif
e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION. Maxim Dounin <mdounin@mdounin.ru> parents: 7353 diff changeset	883
5395 a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	884 if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	885 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	886
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	887 if (!c->ssl->handshake_buffer_set) {
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	888 /*
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	889 * By default OpenSSL uses 4k buffer during a handshake,
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	890 * which is too low for long certificate chains and might
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	891 * result in extra round-trips.
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	892 *
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	893 * To adjust a buffer size we detect that buffering was added
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	894 * to write side of the connection by comparing rbio and wbio.
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	895 * If they are different, we assume that it's due to buffering
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	896 * added to wbio, and set buffer size.
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	897 */
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	898
5423 5b5a486bd40e SSL: fixed build with OpenSSL 0.9.7. Maxim Dounin <mdounin@mdounin.ru> parents: 5395 diff changeset	899 rbio = SSL_get_rbio((ngx_ssl_conn_t *) ssl_conn);
5b5a486bd40e SSL: fixed build with OpenSSL 0.9.7. Maxim Dounin <mdounin@mdounin.ru> parents: 5395 diff changeset	900 wbio = SSL_get_wbio((ngx_ssl_conn_t *) ssl_conn);
5395 a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	901
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	902 if (rbio != wbio) {
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	903 (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE);
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	904 c->ssl->handshake_buffer_set = 1;
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	905 }
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	906 }
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	907 }
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	908 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	909
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	910
3959 b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	911 RSA *
5223 71d85de7b53b Style: replace SSL ssl with ngx_ssl_conn_t ssl_conn. Piotr Sikora <piotr@cloudflare.com> parents: 5222 diff changeset	912 ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
71d85de7b53b Style: replace SSL ssl with ngx_ssl_conn_t ssl_conn. Piotr Sikora <piotr@cloudflare.com> parents: 5222 diff changeset	913 int key_length)
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	914 {
3959 b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	915 static RSA *key;
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	916
5754 c7ecd097b883 SSL: return temporary RSA key only when the key length matches. Piotr Sikora <piotr@cloudflare.com> parents: 5747 diff changeset	917 if (key_length != 512) {
c7ecd097b883 SSL: return temporary RSA key only when the key length matches. Piotr Sikora <piotr@cloudflare.com> parents: 5747 diff changeset	918 return NULL;
c7ecd097b883 SSL: return temporary RSA key only when the key length matches. Piotr Sikora <piotr@cloudflare.com> parents: 5747 diff changeset	919 }
c7ecd097b883 SSL: return temporary RSA key only when the key length matches. Piotr Sikora <piotr@cloudflare.com> parents: 5747 diff changeset	920
6489 c256dfdd469d SSL: RSA_generate_key() is deprecated in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6488 diff changeset	921 #if (OPENSSL_VERSION_NUMBER < 0x10100003L && !defined OPENSSL_NO_DEPRECATED)
5755 8df08465fcfd SSL: fixed build with OPENSSL_NO_DEPRECATED defined. Maxim Dounin <mdounin@mdounin.ru> parents: 5754 diff changeset	922
5754 c7ecd097b883 SSL: return temporary RSA key only when the key length matches. Piotr Sikora <piotr@cloudflare.com> parents: 5747 diff changeset	923 if (key == NULL) {
c7ecd097b883 SSL: return temporary RSA key only when the key length matches. Piotr Sikora <piotr@cloudflare.com> parents: 5747 diff changeset	924 key = RSA_generate_key(512, RSA_F4, NULL, NULL);
559 c1f965ef9718 nginx-0.3.1-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 549 diff changeset	925 }
c1f965ef9718 nginx-0.3.1-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 549 diff changeset	926
5755 8df08465fcfd SSL: fixed build with OPENSSL_NO_DEPRECATED defined. Maxim Dounin <mdounin@mdounin.ru> parents: 5754 diff changeset	927 #endif
8df08465fcfd SSL: fixed build with OPENSSL_NO_DEPRECATED defined. Maxim Dounin <mdounin@mdounin.ru> parents: 5754 diff changeset	928
3959 b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	929 return key;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	930 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	931
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	932
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	933 ngx_array_t *
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	934 ngx_ssl_read_password_file(ngx_conf_t cf, ngx_str_t file)
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	935 {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	936 u_char p, last, *end;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	937 size_t len;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	938 ssize_t n;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	939 ngx_fd_t fd;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	940 ngx_str_t *pwd;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	941 ngx_array_t *passwords;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	942 ngx_pool_cleanup_t *cln;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	943 u_char buf[NGX_SSL_PASSWORD_BUFFER_SIZE];
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	944
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	945 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	946 return NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	947 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	948
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	949 cln = ngx_pool_cleanup_add(cf->temp_pool, 0);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	950 passwords = ngx_array_create(cf->temp_pool, 4, sizeof(ngx_str_t));
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	951
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	952 if (cln == NULL \|\| passwords == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	953 return NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	954 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	955
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	956 cln->handler = ngx_ssl_passwords_cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	957 cln->data = passwords;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	958
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	959 fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0);
7086 577628e6b6a6 Style. Sergey Kandaurov <pluknet@nginx.com> parents: 7074 diff changeset	960
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	961 if (fd == NGX_INVALID_FILE) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	962 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	963 ngx_open_file_n " \"%s\" failed", file->data);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	964 return NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	965 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	966
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	967 len = 0;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	968 last = buf;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	969
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	970 do {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	971 n = ngx_read_fd(fd, last, NGX_SSL_PASSWORD_BUFFER_SIZE - len);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	972
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	973 if (n == -1) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	974 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	975 ngx_read_fd_n " \"%s\" failed", file->data);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	976 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	977 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	978 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	979
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	980 end = last + n;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	981
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	982 if (len && n == 0) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	983 *end++ = LF;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	984 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	985
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	986 p = buf;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	987
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	988 for ( ;; ) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	989 last = ngx_strlchr(last, end, LF);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	990
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	991 if (last == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	992 break;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	993 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	994
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	995 len = last++ - p;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	996
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	997 if (len && p[len - 1] == CR) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	998 len--;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	999 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1000
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1001 if (len) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1002 pwd = ngx_array_push(passwords);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1003 if (pwd == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1004 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1005 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1006 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1007
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1008 pwd->len = len;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1009 pwd->data = ngx_pnalloc(cf->temp_pool, len);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1010
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1011 if (pwd->data == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1012 passwords->nelts--;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1013 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1014 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1015 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1016
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1017 ngx_memcpy(pwd->data, p, len);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1018 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1019
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1020 p = last;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1021 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1022
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1023 len = end - p;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1024
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1025 if (len == NGX_SSL_PASSWORD_BUFFER_SIZE) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1026 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1027 "too long line in \"%s\"", file->data);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1028 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1029 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1030 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1031
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1032 ngx_memmove(buf, p, len);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1033 last = buf + len;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1034
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1035 } while (n != 0);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1036
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1037 if (passwords->nelts == 0) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1038 pwd = ngx_array_push(passwords);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1039 if (pwd == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1040 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1041 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1042 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1043
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1044 ngx_memzero(pwd, sizeof(ngx_str_t));
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1045 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1046
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1047 cleanup:
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1048
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1049 if (ngx_close_file(fd) == NGX_FILE_ERROR) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1050 ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno,
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1051 ngx_close_file_n " \"%s\" failed", file->data);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1052 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1053
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1054 ngx_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1055
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1056 return passwords;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1057 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1058
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1059
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1060 static void
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1061 ngx_ssl_passwords_cleanup(void *data)
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1062 {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1063 ngx_array_t *passwords = data;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1064
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1065 ngx_str_t *pwd;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1066 ngx_uint_t i;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1067
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1068 pwd = passwords->elts;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1069
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1070 for (i = 0; i < passwords->nelts; i++) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1071 ngx_memzero(pwd[i].data, pwd[i].len);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1072 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1073 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1074
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1075
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1076 ngx_int_t
2044 f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1077 ngx_ssl_dhparam(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *file)
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1078 {
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1079 DH *dh;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1080 BIO *bio;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1081
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1082 if (file->len == 0) {
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1083 return NGX_OK;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1084 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1085
5330 314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff. Maxim Dounin <mdounin@mdounin.ru> parents: 5317 diff changeset	1086 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
2044 f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1087 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1088 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1089
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1090 bio = BIO_new_file((char *) file->data, "r");
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1091 if (bio == NULL) {
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1092 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1093 "BIO_new_file(\"%s\") failed", file->data);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1094 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1095 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1096
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1097 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1098 if (dh == NULL) {
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1099 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1100 "PEM_read_bio_DHparams(\"%s\") failed", file->data);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1101 BIO_free(bio);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1102 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1103 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1104
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1105 SSL_CTX_set_tmp_dh(ssl->ctx, dh);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1106
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1107 DH_free(dh);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1108 BIO_free(bio);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1109
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1110 return NGX_OK;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1111 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1112
4522 14411ee4d89f Whitespace fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4499 diff changeset	1113
3960 0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1114 ngx_int_t
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1115 ngx_ssl_ecdh_curve(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *name)
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1116 {
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1117 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1118 #ifndef OPENSSL_NO_ECDH
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1119
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1120 /*
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1121 * Elliptic-Curve Diffie-Hellman parameters are either "named curves"
4572 67653855682e Fixed spelling in multiline C comments. Ruslan Ermilov <ru@nginx.com> parents: 4522 diff changeset	1122 * from RFC 4492 section 5.1.1, or explicitly described curves over
6552 addd98357629 SSL: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6551 diff changeset	1123 * binary fields. OpenSSL only supports the "named curves", which provide
3960 0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1124 * maximum interoperability.
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1125 */
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1126
6983 3518287d995e SSL: compatibility with OpenSSL master branch. Sergey Kandaurov <pluknet@nginx.com> parents: 6982 diff changeset	1127 #if (defined SSL_CTX_set1_curves_list \|\| defined SSL_CTRL_SET_CURVES_LIST)
6553 2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1128
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1129 /*
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1130 * OpenSSL 1.0.2+ allows configuring a curve list instead of a single
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1131 * curve previously supported. By default an internal list is used,
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1132 * with prime256v1 being preferred by server in OpenSSL 1.0.2b+
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1133 * and X25519 in OpenSSL 1.1.0+.
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1134 *
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1135 * By default a curve preferred by the client will be used for
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1136 * key exchange. The SSL_OP_CIPHER_SERVER_PREFERENCE option can
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1137 * be used to prefer server curves instead, similar to what it
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1138 * does for ciphers.
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1139 */
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1140
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1141 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1142
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1143 #if SSL_CTRL_SET_ECDH_AUTO
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1144 /* not needed in OpenSSL 1.1.0+ */
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1145 SSL_CTX_set_ecdh_auto(ssl->ctx, 1);
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1146 #endif
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1147
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1148 if (ngx_strcmp(name->data, "auto") == 0) {
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1149 return NGX_OK;
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1150 }
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1151
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1152 if (SSL_CTX_set1_curves_list(ssl->ctx, (char *) name->data) == 0) {
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1153 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1154 "SSL_CTX_set1_curves_list(\"%s\") failed", name->data);
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1155 return NGX_ERROR;
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1156 }
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1157
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1158 #else
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1159
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1160 int nid;
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1161 char *curve;
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1162 EC_KEY *ecdh;
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1163
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1164 if (ngx_strcmp(name->data, "auto") == 0) {
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1165 curve = "prime256v1";
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1166
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1167 } else {
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1168 curve = (char *) name->data;
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1169 }
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1170
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1171 nid = OBJ_sn2nid(curve);
3960 0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1172 if (nid == 0) {
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1173 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
6553 2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1174 "OBJ_sn2nid(\"%s\") failed: unknown curve", curve);
3960 0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1175 return NGX_ERROR;
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1176 }
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1177
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1178 ecdh = EC_KEY_new_by_curve_name(nid);
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1179 if (ecdh == NULL) {
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1180 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
6553 2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1181 "EC_KEY_new_by_curve_name(\"%s\") failed", curve);
3960 0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1182 return NGX_ERROR;
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1183 }
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1184
5003 82234f3f5ca2 SSL: speedup loading of configs with many ssl servers. Maxim Dounin <mdounin@mdounin.ru> parents: 4877 diff changeset	1185 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
82234f3f5ca2 SSL: speedup loading of configs with many ssl servers. Maxim Dounin <mdounin@mdounin.ru> parents: 4877 diff changeset	1186
3960 0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1187 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh);
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1188
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1189 EC_KEY_free(ecdh);
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1190 #endif
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1191 #endif
6553 2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1192 #endif
3960 0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1193
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1194 return NGX_OK;
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1195 }
2044 f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1196
4522 14411ee4d89f Whitespace fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4499 diff changeset	1197
2044 f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1198 ngx_int_t
7333 ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1199 ngx_ssl_early_data(ngx_conf_t cf, ngx_ssl_t ssl, ngx_uint_t enable)
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1200 {
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1201 if (!enable) {
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1202 return NGX_OK;
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1203 }
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1204
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1205 #ifdef SSL_ERROR_EARLY_DATA_REJECTED
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1206
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1207 /* BoringSSL */
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1208
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1209 SSL_CTX_set_early_data_enabled(ssl->ctx, 1);
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1210
7357 548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1211 #elif defined SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1212
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1213 /* OpenSSL */
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1214
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1215 SSL_CTX_set_max_early_data(ssl->ctx, NGX_SSL_BUFSIZE);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1216
7333 ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1217 #else
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1218 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1219 "\"ssl_early_data\" is not supported on this platform, "
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1220 "ignored");
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1221 #endif
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1222
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1223 return NGX_OK;
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1224 }
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1225
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1226
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	1227 ngx_int_t
7320 696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1228 ngx_ssl_client_session_cache(ngx_conf_t cf, ngx_ssl_t ssl, ngx_uint_t enable)
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1229 {
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1230 if (!enable) {
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1231 return NGX_OK;
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1232 }
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1233
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1234 SSL_CTX_set_session_cache_mode(ssl->ctx,
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1235 SSL_SESS_CACHE_CLIENT
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1236 \|SSL_SESS_CACHE_NO_INTERNAL);
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1237
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1238 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_client_session);
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1239
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1240 return NGX_OK;
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1241 }
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1242
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1243
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1244 static int
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1245 ngx_ssl_new_client_session(ngx_ssl_conn_t ssl_conn, ngx_ssl_session_t sess)
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1246 {
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1247 ngx_connection_t *c;
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1248
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1249 c = ngx_ssl_get_connection(ssl_conn);
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1250
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1251 if (c->ssl->save_session) {
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1252 c->ssl->session = sess;
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1253
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1254 c->ssl->save_session(c);
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1255
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1256 c->ssl->session = NULL;
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1257 }
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1258
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1259 return 0;
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1260 }
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1261
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1262
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1263 ngx_int_t
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1264 ngx_ssl_create_connection(ngx_ssl_t ssl, ngx_connection_t c, ngx_uint_t flags)
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1265 {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1266 ngx_ssl_connection_t *sc;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1267
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1268 sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t));
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1269 if (sc == NULL) {
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1270 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1271 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1272
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1273 sc->buffer = ((flags & NGX_SSL_BUFFER) != 0);
5487 a297b7ad6f94 SSL: ssl_buffer_size directive. Maxim Dounin <mdounin@mdounin.ru> parents: 5450 diff changeset	1274 sc->buffer_size = ssl->buffer_size;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1275
6261 97f102a13f33 SSL: preserve default server context in connection (ticket #235). Maxim Dounin <mdounin@mdounin.ru> parents: 6259 diff changeset	1276 sc->session_ctx = ssl->ctx;
97f102a13f33 SSL: preserve default server context in connection (ticket #235). Maxim Dounin <mdounin@mdounin.ru> parents: 6259 diff changeset	1277
7357 548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1278 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1279 if (SSL_CTX_get_max_early_data(ssl->ctx)) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1280 sc->try_early_data = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1281 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1282 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1283
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1284 sc->connection = SSL_new(ssl->ctx);
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1285
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1286 if (sc->connection == NULL) {
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1287 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_new() failed");
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1288 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1289 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1290
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1291 if (SSL_set_fd(sc->connection, c->fd) == 0) {
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1292 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_fd() failed");
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1293 return NGX_ERROR;
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1294 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1295
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1296 if (flags & NGX_SSL_CLIENT) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1297 SSL_set_connect_state(sc->connection);
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1298
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1299 } else {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1300 SSL_set_accept_state(sc->connection);
7319 dcab86115261 SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376). Maxim Dounin <mdounin@mdounin.ru> parents: 7318 diff changeset	1301
dcab86115261 SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376). Maxim Dounin <mdounin@mdounin.ru> parents: 7318 diff changeset	1302 #ifdef SSL_OP_NO_RENEGOTIATION
dcab86115261 SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376). Maxim Dounin <mdounin@mdounin.ru> parents: 7318 diff changeset	1303 SSL_set_options(sc->connection, SSL_OP_NO_RENEGOTIATION);
dcab86115261 SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376). Maxim Dounin <mdounin@mdounin.ru> parents: 7318 diff changeset	1304 #endif
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1305 }
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1306
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	1307 if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) {
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	1308 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed");
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	1309 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	1310 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	1311
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1312 c->ssl = sc;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1313
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1314 return NGX_OK;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1315 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1316
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1317
7320 696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1318 ngx_ssl_session_t *
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1319 ngx_ssl_get_session(ngx_connection_t *c)
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1320 {
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1321 #ifdef TLS1_3_VERSION
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1322 if (c->ssl->session) {
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1323 SSL_SESSION_up_ref(c->ssl->session);
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1324 return c->ssl->session;
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1325 }
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1326 #endif
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1327
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1328 return SSL_get1_session(c->ssl->connection);
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1329 }
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1330
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1331
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1332 ngx_ssl_session_t *
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1333 ngx_ssl_get0_session(ngx_connection_t *c)
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1334 {
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1335 if (c->ssl->session) {
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1336 return c->ssl->session;
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1337 }
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1338
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1339 return SSL_get0_session(c->ssl->connection);
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1340 }
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1341
696df3ac27ac SSL: save sessions for upstream peers using a callback function. Sergey Kandaurov <pluknet@nginx.com> parents: 7319 diff changeset	1342
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1343 ngx_int_t
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1344 ngx_ssl_set_session(ngx_connection_t c, ngx_ssl_session_t session)
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1345 {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1346 if (session) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1347 if (SSL_set_session(c->ssl->connection, session) == 0) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1348 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_session() failed");
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1349 return NGX_ERROR;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1350 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1351 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1352
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1353 return NGX_OK;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1354 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1355
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1356
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1357 ngx_int_t
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1358 ngx_ssl_handshake(ngx_connection_t *c)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1359 {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1360 int n, sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1361 ngx_err_t err;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1362
7357 548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1363 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1364 if (c->ssl->try_early_data) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1365 return ngx_ssl_try_early_data(c);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1366 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1367 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1368
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1369 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1370
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1371 n = SSL_do_handshake(c->ssl->connection);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1372
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1373 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1374
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1375 if (n == 1) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1376
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1377 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1378 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1379 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1380
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1381 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1382 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1383 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1384
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1385 #if (NGX_DEBUG)
7357 548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1386 ngx_ssl_handshake_log(c);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1387 #endif
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1388
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1389 c->ssl->handshaked = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1390
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1391 c->recv = ngx_ssl_recv;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1392 c->send = ngx_ssl_write;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1393 c->recv_chain = ngx_ssl_recv_chain;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1394 c->send_chain = ngx_ssl_send_chain;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1395
7356 e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION. Maxim Dounin <mdounin@mdounin.ru> parents: 7353 diff changeset	1396 #ifndef SSL_OP_NO_RENEGOTIATION
6255 b40af2fd1c16 SSL: compatibility with OpenSSL master branch. Maxim Dounin <mdounin@mdounin.ru> parents: 6036 diff changeset	1397 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5946 ee941e49bd88 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS. Lukas Tribus <luky-37@hotmail.com> parents: 5934 diff changeset	1398 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
ee941e49bd88 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS. Lukas Tribus <luky-37@hotmail.com> parents: 5934 diff changeset	1399
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1400 /* initial handshake done, disable renegotiation (CVE-2009-3555) */
6995 eb5d119323d8 SSL: allowed renegotiation in client mode with OpenSSL < 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6983 diff changeset	1401 if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) {
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1402 c->ssl->connection->s3->flags \|= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1403 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1404
5946 ee941e49bd88 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS. Lukas Tribus <luky-37@hotmail.com> parents: 5934 diff changeset	1405 #endif
6255 b40af2fd1c16 SSL: compatibility with OpenSSL master branch. Maxim Dounin <mdounin@mdounin.ru> parents: 6036 diff changeset	1406 #endif
7356 e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION. Maxim Dounin <mdounin@mdounin.ru> parents: 7353 diff changeset	1407 #endif
5946 ee941e49bd88 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS. Lukas Tribus <luky-37@hotmail.com> parents: 5934 diff changeset	1408
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1409 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1410 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1411
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1412 sslerr = SSL_get_error(c->ssl->connection, n);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1413
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1414 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1415
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1416 if (sslerr == SSL_ERROR_WANT_READ) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1417 c->read->ready = 0;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1418 c->read->handler = ngx_ssl_handshake_handler;
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1419 c->write->handler = ngx_ssl_handshake_handler;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1420
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1421 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1422 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1423 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1424
5024 03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Maxim Dounin <mdounin@mdounin.ru> parents: 5023 diff changeset	1425 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Maxim Dounin <mdounin@mdounin.ru> parents: 5023 diff changeset	1426 return NGX_ERROR;
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Maxim Dounin <mdounin@mdounin.ru> parents: 5023 diff changeset	1427 }
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Maxim Dounin <mdounin@mdounin.ru> parents: 5023 diff changeset	1428
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1429 return NGX_AGAIN;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1430 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1431
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1432 if (sslerr == SSL_ERROR_WANT_WRITE) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1433 c->write->ready = 0;
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1434 c->read->handler = ngx_ssl_handshake_handler;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1435 c->write->handler = ngx_ssl_handshake_handler;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1436
5024 03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Maxim Dounin <mdounin@mdounin.ru> parents: 5023 diff changeset	1437 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Maxim Dounin <mdounin@mdounin.ru> parents: 5023 diff changeset	1438 return NGX_ERROR;
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Maxim Dounin <mdounin@mdounin.ru> parents: 5023 diff changeset	1439 }
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Maxim Dounin <mdounin@mdounin.ru> parents: 5023 diff changeset	1440
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1441 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1442 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1443 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1444
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1445 return NGX_AGAIN;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1446 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1447
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1448 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1449
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1450 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1451 c->ssl->no_send_shutdown = 1;
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1452 c->read->eof = 1;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1453
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1454 if (sslerr == SSL_ERROR_ZERO_RETURN \|\| ERR_peek_error() == 0) {
5747 57c05ff57980 SSL: logging level of "peer closed connection in SSL handshake". Maxim Dounin <mdounin@mdounin.ru> parents: 5744 diff changeset	1455 ngx_connection_error(c, err,
57c05ff57980 SSL: logging level of "peer closed connection in SSL handshake". Maxim Dounin <mdounin@mdounin.ru> parents: 5744 diff changeset	1456 "peer closed connection in SSL handshake");
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1457
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1458 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1459 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1460
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1461 c->read->error = 1;
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1462
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1463 ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1464
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1465 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1466 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1467
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1468
7357 548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1469 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1470
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1471 static ngx_int_t
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1472 ngx_ssl_try_early_data(ngx_connection_t *c)
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1473 {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1474 int n, sslerr;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1475 u_char buf;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1476 size_t readbytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1477 ngx_err_t err;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1478
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1479 ngx_ssl_clear_error(c->log);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1480
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1481 readbytes = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1482
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1483 n = SSL_read_early_data(c->ssl->connection, &buf, 1, &readbytes);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1484
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1485 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1486 "SSL_read_early_data: %d, %uz", n, readbytes);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1487
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1488 if (n == SSL_READ_EARLY_DATA_FINISH) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1489 c->ssl->try_early_data = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1490 return ngx_ssl_handshake(c);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1491 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1492
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1493 if (n == SSL_READ_EARLY_DATA_SUCCESS) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1494
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1495 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1496 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1497 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1498
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1499 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1500 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1501 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1502
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1503 #if (NGX_DEBUG)
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1504 ngx_ssl_handshake_log(c);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1505 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1506
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1507 c->ssl->try_early_data = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1508
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1509 c->ssl->early_buf = buf;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1510 c->ssl->early_preread = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1511
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1512 c->ssl->handshaked = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1513 c->ssl->in_early = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1514
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1515 c->recv = ngx_ssl_recv;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1516 c->send = ngx_ssl_write;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1517 c->recv_chain = ngx_ssl_recv_chain;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1518 c->send_chain = ngx_ssl_send_chain;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1519
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1520 return NGX_OK;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1521 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1522
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1523 /* SSL_READ_EARLY_DATA_ERROR */
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1524
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1525 sslerr = SSL_get_error(c->ssl->connection, n);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1526
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1527 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1528
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1529 if (sslerr == SSL_ERROR_WANT_READ) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1530 c->read->ready = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1531 c->read->handler = ngx_ssl_handshake_handler;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1532 c->write->handler = ngx_ssl_handshake_handler;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1533
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1534 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1535 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1536 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1537
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1538 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1539 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1540 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1541
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1542 return NGX_AGAIN;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1543 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1544
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1545 if (sslerr == SSL_ERROR_WANT_WRITE) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1546 c->write->ready = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1547 c->read->handler = ngx_ssl_handshake_handler;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1548 c->write->handler = ngx_ssl_handshake_handler;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1549
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1550 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1551 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1552 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1553
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1554 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1555 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1556 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1557
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1558 return NGX_AGAIN;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1559 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1560
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1561 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1562
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1563 c->ssl->no_wait_shutdown = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1564 c->ssl->no_send_shutdown = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1565 c->read->eof = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1566
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1567 if (sslerr == SSL_ERROR_ZERO_RETURN \|\| ERR_peek_error() == 0) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1568 ngx_connection_error(c, err,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1569 "peer closed connection in SSL handshake");
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1570
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1571 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1572 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1573
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1574 c->read->error = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1575
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1576 ngx_ssl_connection_error(c, sslerr, err, "SSL_read_early_data() failed");
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1577
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1578 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1579 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1580
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1581 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1582
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1583
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1584 #if (NGX_DEBUG)
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1585
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1586 static void
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1587 ngx_ssl_handshake_log(ngx_connection_t *c)
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1588 {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1589 char buf[129], s, d;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1590 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1591 const
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1592 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1593 SSL_CIPHER *cipher;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1594
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1595 cipher = SSL_get_current_cipher(c->ssl->connection);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1596
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1597 if (cipher) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1598 SSL_CIPHER_description(cipher, &buf[1], 128);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1599
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1600 for (s = &buf[1], d = buf; *s; s++) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1601 if (s == ' ' && d == ' ') {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1602 continue;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1603 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1604
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1605 if (s == LF \|\| s == CR) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1606 continue;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1607 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1608
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1609 ++d = s;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1610 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1611
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1612 if (*d != ' ') {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1613 d++;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1614 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1615
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1616 *d = '\0';
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1617
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1618 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1619 "SSL: %s, cipher: \"%s\"",
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1620 SSL_get_version(c->ssl->connection), &buf[1]);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1621
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1622 if (SSL_session_reused(c->ssl->connection)) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1623 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1624 "SSL reused session");
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1625 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1626
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1627 } else {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1628 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1629 "SSL no shared ciphers");
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1630 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1631 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1632
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1633 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1634
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1635
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1636 static void
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1637 ngx_ssl_handshake_handler(ngx_event_t *ev)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1638 {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1639 ngx_connection_t *c;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1640
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1641 c = ev->data;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1642
549 e16a8d574da5 nginx-0.2.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 547 diff changeset	1643 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1644 "SSL handshake handler: %d", ev->write);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1645
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1646 if (ev->timedout) {
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1647 c->ssl->handler(c);
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1648 return;
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1649 }
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1650
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1651 if (ngx_ssl_handshake(c) == NGX_AGAIN) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1652 return;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1653 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1654
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1655 c->ssl->handler(c);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1656 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1657
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1658
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1659 ssize_t
5882 ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1660 ngx_ssl_recv_chain(ngx_connection_t c, ngx_chain_t cl, off_t limit)
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1661 {
1154 427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1662 u_char *last;
5882 ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1663 ssize_t n, bytes, size;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1664 ngx_buf_t *b;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1665
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1666 bytes = 0;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1667
1154 427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1668 b = cl->buf;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1669 last = b->last;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1670
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1671 for ( ;; ) {
5882 ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1672 size = b->end - last;
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1673
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1674 if (limit) {
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1675 if (bytes >= limit) {
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1676 return bytes;
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1677 }
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1678
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1679 if (bytes + size > limit) {
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1680 size = (ssize_t) (limit - bytes);
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1681 }
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1682 }
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1683
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1684 n = ngx_ssl_recv(c, last, size);
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1685
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1686 if (n > 0) {
1154 427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1687 last += n;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1688 bytes += n;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1689
1154 427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1690 if (last == b->end) {
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1691 cl = cl->next;
1154 427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1692
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1693 if (cl == NULL) {
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1694 return bytes;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1695 }
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1696
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1697 b = cl->buf;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1698 last = b->last;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1699 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1700
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1701 continue;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1702 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1703
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1704 if (bytes) {
2052 b4085596a7e6 fix "proxy_pass https://..." broken in r1427 Igor Sysoev <igor@sysoev.ru> parents: 2049 diff changeset	1705
b4085596a7e6 fix "proxy_pass https://..." broken in r1427 Igor Sysoev <igor@sysoev.ru> parents: 2049 diff changeset	1706 if (n == 0 \|\| n == NGX_ERROR) {
b4085596a7e6 fix "proxy_pass https://..." broken in r1427 Igor Sysoev <igor@sysoev.ru> parents: 2049 diff changeset	1707 c->read->ready = 1;
b4085596a7e6 fix "proxy_pass https://..." broken in r1427 Igor Sysoev <igor@sysoev.ru> parents: 2049 diff changeset	1708 }
b4085596a7e6 fix "proxy_pass https://..." broken in r1427 Igor Sysoev <igor@sysoev.ru> parents: 2049 diff changeset	1709
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1710 return bytes;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1711 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1712
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1713 return n;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1714 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1715 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1716
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1717
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1718 ssize_t
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1719 ngx_ssl_recv(ngx_connection_t c, u_char buf, size_t size)
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1720 {
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1721 int n, bytes;
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1722
7357 548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1723 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1724 if (c->ssl->in_early) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1725 return ngx_ssl_recv_early(c, buf, size);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1726 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1727 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1728
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1729 if (c->ssl->last == NGX_ERROR) {
1426 adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1730 c->read->error = 1;
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1731 return NGX_ERROR;
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1732 }
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1733
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1734 if (c->ssl->last == NGX_DONE) {
1426 adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1735 c->read->ready = 0;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1736 c->read->eof = 1;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1737 return 0;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1738 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1739
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1740 bytes = 0;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1741
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1742 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1743
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1744 /*
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1745 * SSL_read() may return data in parts, so try to read
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1746 * until SSL_read() would return no data
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1747 */
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1748
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1749 for ( ;; ) {
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1750
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1751 n = SSL_read(c->ssl->connection, buf, size);
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1752
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1753 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n);
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1754
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1755 if (n > 0) {
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1756 bytes += n;
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1757 }
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1758
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1759 c->ssl->last = ngx_ssl_handle_recv(c, n);
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1760
1426 adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1761 if (c->ssl->last == NGX_OK) {
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1762
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1763 size -= n;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1764
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1765 if (size == 0) {
5450 9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv(). Maxim Dounin <mdounin@mdounin.ru> parents: 5425 diff changeset	1766 c->read->ready = 1;
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1767 return bytes;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1768 }
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1769
1426 adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1770 buf += n;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1771
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1772 continue;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1773 }
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1774
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1775 if (bytes) {
5450 9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv(). Maxim Dounin <mdounin@mdounin.ru> parents: 5425 diff changeset	1776 if (c->ssl->last != NGX_AGAIN) {
9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv(). Maxim Dounin <mdounin@mdounin.ru> parents: 5425 diff changeset	1777 c->read->ready = 1;
9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv(). Maxim Dounin <mdounin@mdounin.ru> parents: 5425 diff changeset	1778 }
9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv(). Maxim Dounin <mdounin@mdounin.ru> parents: 5425 diff changeset	1779
1426 adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1780 return bytes;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1781 }
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1782
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1783 switch (c->ssl->last) {
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1784
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1785 case NGX_DONE:
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1786 c->read->ready = 0;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1787 c->read->eof = 1;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1788 return 0;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1789
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1790 case NGX_ERROR:
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1791 c->read->error = 1;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1792
4499 778ef9c3fd2d Fixed spelling in single-line comments. Ruslan Ermilov <ru@nginx.com> parents: 4497 diff changeset	1793 /* fall through */
1426 adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1794
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1795 case NGX_AGAIN:
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1796 return c->ssl->last;
479 c52408583801 nginx-0.1.14-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 473 diff changeset	1797 }
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1798 }
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1799 }
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1800
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1801
7357 548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1802 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1803
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1804 static ssize_t
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1805 ngx_ssl_recv_early(ngx_connection_t c, u_char buf, size_t size)
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1806 {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1807 int n, bytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1808 size_t readbytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1809
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1810 if (c->ssl->last == NGX_ERROR) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1811 c->read->error = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1812 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1813 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1814
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1815 if (c->ssl->last == NGX_DONE) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1816 c->read->ready = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1817 c->read->eof = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1818 return 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1819 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1820
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1821 bytes = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1822
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1823 ngx_ssl_clear_error(c->log);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1824
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1825 if (c->ssl->early_preread) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1826
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1827 if (size == 0) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1828 c->read->ready = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1829 c->read->eof = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1830 return 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1831 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1832
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1833 *buf = c->ssl->early_buf;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1834
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1835 c->ssl->early_preread = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1836
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1837 bytes = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1838 size -= 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1839 buf += 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1840 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1841
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1842 /*
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1843 * SSL_read_early_data() may return data in parts, so try to read
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1844 * until SSL_read_early_data() would return no data
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1845 */
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1846
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1847 for ( ;; ) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1848
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1849 readbytes = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1850
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1851 n = SSL_read_early_data(c->ssl->connection, buf, size, &readbytes);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1852
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1853 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1854 "SSL_read_early_data: %d, %uz", n, readbytes);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1855
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1856 if (n == SSL_READ_EARLY_DATA_SUCCESS) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1857
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1858 c->ssl->last = ngx_ssl_handle_recv(c, 1);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1859
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1860 bytes += readbytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1861 size -= readbytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1862
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1863 if (size == 0) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1864 c->read->ready = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1865 return bytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1866 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1867
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1868 buf += readbytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1869
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1870 continue;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1871 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1872
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1873 if (n == SSL_READ_EARLY_DATA_FINISH) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1874
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1875 c->ssl->last = ngx_ssl_handle_recv(c, 1);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1876 c->ssl->in_early = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1877
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1878 if (bytes) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1879 c->read->ready = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1880 return bytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1881 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1882
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1883 return ngx_ssl_recv(c, buf, size);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1884 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1885
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1886 /* SSL_READ_EARLY_DATA_ERROR */
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1887
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1888 c->ssl->last = ngx_ssl_handle_recv(c, 0);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1889
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1890 if (bytes) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1891 if (c->ssl->last != NGX_AGAIN) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1892 c->read->ready = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1893 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1894
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1895 return bytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1896 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1897
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1898 switch (c->ssl->last) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1899
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1900 case NGX_DONE:
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1901 c->read->ready = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1902 c->read->eof = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1903 return 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1904
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1905 case NGX_ERROR:
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1906 c->read->error = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1907
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1908 /* fall through */
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1909
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1910 case NGX_AGAIN:
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1911 return c->ssl->last;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1912 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1913 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1914 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1915
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1916 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1917
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	1918
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1919 static ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1920 ngx_ssl_handle_recv(ngx_connection_t *c, int n)
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1921 {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1922 int sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1923 ngx_err_t err;
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1924
7356 e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION. Maxim Dounin <mdounin@mdounin.ru> parents: 7353 diff changeset	1925 #ifndef SSL_OP_NO_RENEGOTIATION
e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION. Maxim Dounin <mdounin@mdounin.ru> parents: 7353 diff changeset	1926
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1927 if (c->ssl->renegotiation) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1928 /*
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1929 * disable renegotiation (CVE-2009-3555):
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1930 * OpenSSL (at least up to 0.9.8l) does not handle disabled
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1931 * renegotiation gracefully, so drop connection here
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1932 */
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1933
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1934 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled");
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1935
4236 2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation. Igor Sysoev <igor@sysoev.ru> parents: 4228 diff changeset	1936 while (ERR_peek_error()) {
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation. Igor Sysoev <igor@sysoev.ru> parents: 4228 diff changeset	1937 ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0,
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation. Igor Sysoev <igor@sysoev.ru> parents: 4228 diff changeset	1938 "ignoring stale global SSL error");
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation. Igor Sysoev <igor@sysoev.ru> parents: 4228 diff changeset	1939 }
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation. Igor Sysoev <igor@sysoev.ru> parents: 4228 diff changeset	1940
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation. Igor Sysoev <igor@sysoev.ru> parents: 4228 diff changeset	1941 ERR_clear_error();
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation. Igor Sysoev <igor@sysoev.ru> parents: 4228 diff changeset	1942
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1943 c->ssl->no_wait_shutdown = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1944 c->ssl->no_send_shutdown = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1945
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1946 return NGX_ERROR;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1947 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1948
7356 e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION. Maxim Dounin <mdounin@mdounin.ru> parents: 7353 diff changeset	1949 #endif
e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION. Maxim Dounin <mdounin@mdounin.ru> parents: 7353 diff changeset	1950
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1951 if (n > 0) {
479 c52408583801 nginx-0.1.14-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 473 diff changeset	1952
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1953 if (c->ssl->saved_write_handler) {
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1954
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1955 c->write->handler = c->ssl->saved_write_handler;
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1956 c->ssl->saved_write_handler = NULL;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1957 c->write->ready = 1;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1958
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1959 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1960 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1961 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1962
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	1963 ngx_post_event(c->write, &ngx_posted_events);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1964 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1965
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1966 return NGX_OK;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1967 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1968
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1969 sslerr = SSL_get_error(c->ssl->connection, n);
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1970
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1971 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1972
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1973 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1974
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1975 if (sslerr == SSL_ERROR_WANT_READ) {
7353 87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	1976
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	1977 if (c->ssl->saved_write_handler) {
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	1978
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	1979 c->write->handler = c->ssl->saved_write_handler;
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	1980 c->ssl->saved_write_handler = NULL;
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	1981 c->write->ready = 1;
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	1982
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	1983 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	1984 return NGX_ERROR;
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	1985 }
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	1986
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	1987 ngx_post_event(c->write, &ngx_posted_events);
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	1988 }
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	1989
455 295d97d70c69 nginx-0.1.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 452 diff changeset	1990 c->read->ready = 0;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1991 return NGX_AGAIN;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1992 }
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1993
445 f26432a1935a nginx-0.1.0-2004-09-30-10:38:49 import Igor Sysoev <igor@sysoev.ru> parents: 444 diff changeset	1994 if (sslerr == SSL_ERROR_WANT_WRITE) {
539 371c1cee100d nginx-0.1.44-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 513 diff changeset	1995
7352 0de0b16a551c SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging. Maxim Dounin <mdounin@mdounin.ru> parents: 7333 diff changeset	1996 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
0de0b16a551c SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging. Maxim Dounin <mdounin@mdounin.ru> parents: 7333 diff changeset	1997 "SSL_read: want write");
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1998
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1999 c->write->ready = 0;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2000
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	2001 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2002 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2003 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2004
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2005 /*
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2006 * we do not set the timer because there is already the read event timer
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2007 */
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2008
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2009 if (c->ssl->saved_write_handler == NULL) {
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	2010 c->ssl->saved_write_handler = c->write->handler;
9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	2011 c->write->handler = ngx_ssl_write_handler;
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2012 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2013
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2014 return NGX_AGAIN;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2015 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2016
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2017 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2018 c->ssl->no_send_shutdown = 1;
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	2019
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2020 if (sslerr == SSL_ERROR_ZERO_RETURN \|\| ERR_peek_error() == 0) {
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2021 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2022 "peer shutdown SSL cleanly");
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2023 return NGX_DONE;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2024 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2025
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2026 ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed");
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2027
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2028 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2029 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2030
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2031
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	2032 static void
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	2033 ngx_ssl_write_handler(ngx_event_t *wev)
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2034 {
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2035 ngx_connection_t *c;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2036
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2037 c = wev->data;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2038
7352 0de0b16a551c SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging. Maxim Dounin <mdounin@mdounin.ru> parents: 7333 diff changeset	2039 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL write handler");
0de0b16a551c SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging. Maxim Dounin <mdounin@mdounin.ru> parents: 7333 diff changeset	2040
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	2041 c->read->handler(c->read);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2042 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2043
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2044
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	2045 /*
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	2046 * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2047 * before the SSL_write() call to decrease a SSL overhead.
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	2048 *
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	2049 * Besides for protocols such as HTTP it is possible to always buffer
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	2050 * the output to decrease a SSL overhead some more.
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	2051 */
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	2052
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	2053 ngx_chain_t *
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	2054 ngx_ssl_send_chain(ngx_connection_t c, ngx_chain_t in, off_t limit)
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2055 {
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2056 int n;
399 4e21d1291a14 nginx-0.0.7-2004-07-25-22:34:14 import Igor Sysoev <igor@sysoev.ru> parents: 398 diff changeset	2057 ngx_uint_t flush;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2058 ssize_t send, size;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2059 ngx_buf_t *buf;
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2060
2280 6453161bf53e always use buffer, if connection is buffered, Igor Sysoev <igor@sysoev.ru> parents: 2165 diff changeset	2061 if (!c->ssl->buffer) {
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2062
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2063 while (in) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2064 if (ngx_buf_special(in->buf)) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2065 in = in->next;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2066 continue;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2067 }
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2068
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2069 n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos);
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2070
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2071 if (n == NGX_ERROR) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2072 return NGX_CHAIN_ERROR;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2073 }
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	2074
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2075 if (n == NGX_AGAIN) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2076 return in;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2077 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2078
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2079 in->buf->pos += n;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2080
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2081 if (in->buf->pos == in->buf->last) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2082 in = in->next;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2083 }
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2084 }
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2085
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2086 return in;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2087 }
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2088
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2089
3962 df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t Igor Sysoev <igor@sysoev.ru> parents: 3961 diff changeset	2090 /* the maximum limit size is the maximum int32_t value - the page size */
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t Igor Sysoev <igor@sysoev.ru> parents: 3961 diff changeset	2091
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t Igor Sysoev <igor@sysoev.ru> parents: 3961 diff changeset	2092 if (limit == 0 \|\| limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) {
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t Igor Sysoev <igor@sysoev.ru> parents: 3961 diff changeset	2093 limit = NGX_MAX_INT32_VALUE - ngx_pagesize;
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2094 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2095
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2096 buf = c->ssl->buf;
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2097
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2098 if (buf == NULL) {
5487 a297b7ad6f94 SSL: ssl_buffer_size directive. Maxim Dounin <mdounin@mdounin.ru> parents: 5450 diff changeset	2099 buf = ngx_create_temp_buf(c->pool, c->ssl->buffer_size);
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2100 if (buf == NULL) {
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2101 return NGX_CHAIN_ERROR;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2102 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2103
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2104 c->ssl->buf = buf;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2105 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2106
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2107 if (buf->start == NULL) {
5487 a297b7ad6f94 SSL: ssl_buffer_size directive. Maxim Dounin <mdounin@mdounin.ru> parents: 5450 diff changeset	2108 buf->start = ngx_palloc(c->pool, c->ssl->buffer_size);
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2109 if (buf->start == NULL) {
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2110 return NGX_CHAIN_ERROR;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2111 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2112
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2113 buf->pos = buf->start;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2114 buf->last = buf->start;
5487 a297b7ad6f94 SSL: ssl_buffer_size directive. Maxim Dounin <mdounin@mdounin.ru> parents: 5450 diff changeset	2115 buf->end = buf->start + c->ssl->buffer_size;
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2116 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2117
5023 70a35b7b63ea SSL: take into account data in the buffer while limiting output. Valentin Bartenev <vbart@nginx.com> parents: 5022 diff changeset	2118 send = buf->last - buf->pos;
5020 587dbe2edc5f SSL: preservation of flush flag for buffered data. Valentin Bartenev <vbart@nginx.com> parents: 5019 diff changeset	2119 flush = (in == NULL) ? 1 : buf->flush;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2120
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2121 for ( ;; ) {
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2122
3283 52b1624b93c2 fix segfault in SSL if limit_rate is used Igor Sysoev <igor@sysoev.ru> parents: 3159 diff changeset	2123 while (in && buf->last < buf->end && send < limit) {
583 4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	2124 if (in->buf->last_buf \|\| in->buf->flush) {
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2125 flush = 1;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2126 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2127
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2128 if (ngx_buf_special(in->buf)) {
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	2129 in = in->next;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2130 continue;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2131 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2132
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2133 size = in->buf->last - in->buf->pos;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2134
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2135 if (size > buf->end - buf->last) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2136 size = buf->end - buf->last;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2137 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2138
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2139 if (send + size > limit) {
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2140 size = (ssize_t) (limit - send);
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2141 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2142
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2143 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
6480 f01ab2dbcfdc Fixed logging. Sergey Kandaurov <pluknet@nginx.com> parents: 6474 diff changeset	2144 "SSL buf copy: %z", size);
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2145
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2146 ngx_memcpy(buf->last, in->buf->pos, size);
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2147
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2148 buf->last += size;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2149 in->buf->pos += size;
3283 52b1624b93c2 fix segfault in SSL if limit_rate is used Igor Sysoev <igor@sysoev.ru> parents: 3159 diff changeset	2150 send += size;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2151
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2152 if (in->buf->pos == in->buf->last) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2153 in = in->next;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2154 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2155 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2156
5020 587dbe2edc5f SSL: preservation of flush flag for buffered data. Valentin Bartenev <vbart@nginx.com> parents: 5019 diff changeset	2157 if (!flush && send < limit && buf->last < buf->end) {
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	2158 break;
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	2159 }
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2160
5021 674f8739e443 SSL: calculation of buffer size moved closer to its usage. Valentin Bartenev <vbart@nginx.com> parents: 5020 diff changeset	2161 size = buf->last - buf->pos;
674f8739e443 SSL: calculation of buffer size moved closer to its usage. Valentin Bartenev <vbart@nginx.com> parents: 5020 diff changeset	2162
5022 1d819608ad4a SSL: avoid calling SSL_write() with zero data size. Valentin Bartenev <vbart@nginx.com> parents: 5021 diff changeset	2163 if (size == 0) {
1d819608ad4a SSL: avoid calling SSL_write() with zero data size. Valentin Bartenev <vbart@nginx.com> parents: 5021 diff changeset	2164 buf->flush = 0;
1d819608ad4a SSL: avoid calling SSL_write() with zero data size. Valentin Bartenev <vbart@nginx.com> parents: 5021 diff changeset	2165 c->buffered &= ~NGX_SSL_BUFFERED;
1d819608ad4a SSL: avoid calling SSL_write() with zero data size. Valentin Bartenev <vbart@nginx.com> parents: 5021 diff changeset	2166 return in;
1d819608ad4a SSL: avoid calling SSL_write() with zero data size. Valentin Bartenev <vbart@nginx.com> parents: 5021 diff changeset	2167 }
1d819608ad4a SSL: avoid calling SSL_write() with zero data size. Valentin Bartenev <vbart@nginx.com> parents: 5021 diff changeset	2168
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	2169 n = ngx_ssl_write(c, buf->pos, size);
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	2170
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	2171 if (n == NGX_ERROR) {
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	2172 return NGX_CHAIN_ERROR;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2173 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2174
511 c12967aadd87 nginx-0.1.30-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 509 diff changeset	2175 if (n == NGX_AGAIN) {
5020 587dbe2edc5f SSL: preservation of flush flag for buffered data. Valentin Bartenev <vbart@nginx.com> parents: 5019 diff changeset	2176 break;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2177 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2178
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2179 buf->pos += n;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2180
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2181 if (n < size) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2182 break;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2183 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2184
5019 69693a098655 SSL: resetting of flush flag after the data was written. Valentin Bartenev <vbart@nginx.com> parents: 5018 diff changeset	2185 flush = 0;
69693a098655 SSL: resetting of flush flag after the data was written. Valentin Bartenev <vbart@nginx.com> parents: 5018 diff changeset	2186
5018 0ea36741bb35 SSL: removed conditions that always hold true. Valentin Bartenev <vbart@nginx.com> parents: 5003 diff changeset	2187 buf->pos = buf->start;
0ea36741bb35 SSL: removed conditions that always hold true. Valentin Bartenev <vbart@nginx.com> parents: 5003 diff changeset	2188 buf->last = buf->start;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2189
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2190 if (in == NULL \|\| send == limit) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2191 break;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2192 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2193 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2194
5020 587dbe2edc5f SSL: preservation of flush flag for buffered data. Valentin Bartenev <vbart@nginx.com> parents: 5019 diff changeset	2195 buf->flush = flush;
587dbe2edc5f SSL: preservation of flush flag for buffered data. Valentin Bartenev <vbart@nginx.com> parents: 5019 diff changeset	2196
597 9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	2197 if (buf->pos < buf->last) {
9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	2198 c->buffered \|= NGX_SSL_BUFFERED;
9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	2199
9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	2200 } else {
9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	2201 c->buffered &= ~NGX_SSL_BUFFERED;
9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	2202 }
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2203
399 4e21d1291a14 nginx-0.0.7-2004-07-25-22:34:14 import Igor Sysoev <igor@sysoev.ru> parents: 398 diff changeset	2204 return in;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2205 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2206
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2207
539 371c1cee100d nginx-0.1.44-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 513 diff changeset	2208 ssize_t
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	2209 ngx_ssl_write(ngx_connection_t c, u_char data, size_t size)
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2210 {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2211 int n, sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2212 ngx_err_t err;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2213
7357 548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2214 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2215 if (c->ssl->in_early) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2216 return ngx_ssl_write_early(c, data, size);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2217 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2218 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2219
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2220 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2221
6480 f01ab2dbcfdc Fixed logging. Sergey Kandaurov <pluknet@nginx.com> parents: 6474 diff changeset	2222 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size);
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2223
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	2224 n = SSL_write(c->ssl->connection, data, size);
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2225
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2226 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n);
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2227
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2228 if (n > 0) {
539 371c1cee100d nginx-0.1.44-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 513 diff changeset	2229
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2230 if (c->ssl->saved_read_handler) {
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2231
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	2232 c->read->handler = c->ssl->saved_read_handler;
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2233 c->ssl->saved_read_handler = NULL;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2234 c->read->ready = 1;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2235
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	2236 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2237 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2238 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2239
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	2240 ngx_post_event(c->read, &ngx_posted_events);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2241 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2242
5986 c2f309fb7ad2 SSL: account sent bytes in ngx_ssl_write(). Ruslan Ermilov <ru@nginx.com> parents: 5946 diff changeset	2243 c->sent += n;
c2f309fb7ad2 SSL: account sent bytes in ngx_ssl_write(). Ruslan Ermilov <ru@nginx.com> parents: 5946 diff changeset	2244
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2245 return n;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2246 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2247
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	2248 sslerr = SSL_get_error(c->ssl->connection, n);
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2249
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2250 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2251
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2252 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2253
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2254 if (sslerr == SSL_ERROR_WANT_WRITE) {
7353 87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	2255
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	2256 if (c->ssl->saved_read_handler) {
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	2257
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	2258 c->read->handler = c->ssl->saved_read_handler;
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	2259 c->ssl->saved_read_handler = NULL;
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	2260 c->read->ready = 1;
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	2261
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	2262 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	2263 return NGX_ERROR;
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	2264 }
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	2265
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	2266 ngx_post_event(c->read, &ngx_posted_events);
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	2267 }
87d2ea860f38 SSL: restore handlers after blocking. Maxim Dounin <mdounin@mdounin.ru> parents: 7352 diff changeset	2268
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2269 c->write->ready = 0;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2270 return NGX_AGAIN;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2271 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2272
445 f26432a1935a nginx-0.1.0-2004-09-30-10:38:49 import Igor Sysoev <igor@sysoev.ru> parents: 444 diff changeset	2273 if (sslerr == SSL_ERROR_WANT_READ) {
452 23fb87bddda1 nginx-0.1.1-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 445 diff changeset	2274
7352 0de0b16a551c SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging. Maxim Dounin <mdounin@mdounin.ru> parents: 7333 diff changeset	2275 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
0de0b16a551c SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging. Maxim Dounin <mdounin@mdounin.ru> parents: 7333 diff changeset	2276 "SSL_write: want read");
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2277
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2278 c->read->ready = 0;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2279
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	2280 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2281 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2282 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2283
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2284 /*
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2285 * we do not set the timer because there is already
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2286 * the write event timer
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2287 */
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2288
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2289 if (c->ssl->saved_read_handler == NULL) {
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	2290 c->ssl->saved_read_handler = c->read->handler;
9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	2291 c->read->handler = ngx_ssl_read_handler;
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2292 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2293
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2294 return NGX_AGAIN;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2295 }
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	2296
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2297 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2298 c->ssl->no_send_shutdown = 1;
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	2299 c->write->error = 1;
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	2300
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2301 ngx_ssl_connection_error(c, sslerr, err, "SSL_write() failed");
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2302
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	2303 return NGX_ERROR;
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2304 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2305
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2306
7357 548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2307 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2308
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2309 ssize_t
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2310 ngx_ssl_write_early(ngx_connection_t c, u_char data, size_t size)
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2311 {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2312 int n, sslerr;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2313 size_t written;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2314 ngx_err_t err;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2315
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2316 ngx_ssl_clear_error(c->log);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2317
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2318 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2319
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2320 written = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2321
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2322 n = SSL_write_early_data(c->ssl->connection, data, size, &written);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2323
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2324 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2325 "SSL_write_early_data: %d, %uz", n, written);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2326
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2327 if (n > 0) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2328
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2329 if (c->ssl->saved_read_handler) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2330
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2331 c->read->handler = c->ssl->saved_read_handler;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2332 c->ssl->saved_read_handler = NULL;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2333 c->read->ready = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2334
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2335 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2336 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2337 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2338
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2339 ngx_post_event(c->read, &ngx_posted_events);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2340 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2341
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2342 c->sent += written;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2343
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2344 return written;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2345 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2346
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2347 sslerr = SSL_get_error(c->ssl->connection, n);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2348
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2349 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2350
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2351 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2352
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2353 if (sslerr == SSL_ERROR_WANT_WRITE) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2354
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2355 if (c->ssl->saved_read_handler) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2356
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2357 c->read->handler = c->ssl->saved_read_handler;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2358 c->ssl->saved_read_handler = NULL;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2359 c->read->ready = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2360
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2361 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2362 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2363 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2364
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2365 ngx_post_event(c->read, &ngx_posted_events);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2366 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2367
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2368 c->write->ready = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2369 return NGX_AGAIN;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2370 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2371
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2372 if (sslerr == SSL_ERROR_WANT_READ) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2373
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2374 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2375 "SSL_write_early_data: want read");
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2376
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2377 c->read->ready = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2378
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2379 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2380 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2381 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2382
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2383 /*
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2384 * we do not set the timer because there is already
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2385 * the write event timer
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2386 */
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2387
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2388 if (c->ssl->saved_read_handler == NULL) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2389 c->ssl->saved_read_handler = c->read->handler;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2390 c->read->handler = ngx_ssl_read_handler;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2391 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2392
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2393 return NGX_AGAIN;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2394 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2395
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2396 c->ssl->no_wait_shutdown = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2397 c->ssl->no_send_shutdown = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2398 c->write->error = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2399
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2400 ngx_ssl_connection_error(c, sslerr, err, "SSL_write_early_data() failed");
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2401
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2402 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2403 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2404
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2405 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2406
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	2407
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	2408 static void
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	2409 ngx_ssl_read_handler(ngx_event_t *rev)
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2410 {
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2411 ngx_connection_t *c;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2412
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2413 c = rev->data;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2414
7352 0de0b16a551c SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging. Maxim Dounin <mdounin@mdounin.ru> parents: 7333 diff changeset	2415 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL read handler");
0de0b16a551c SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging. Maxim Dounin <mdounin@mdounin.ru> parents: 7333 diff changeset	2416
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	2417 c->write->handler(c->write);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2418 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2419
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2420
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2421 void
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2422 ngx_ssl_free_buffer(ngx_connection_t *c)
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2423 {
1795 3a0132e2be2c fix segfault introduced in r1780 Igor Sysoev <igor@sysoev.ru> parents: 1779 diff changeset	2424 if (c->ssl->buf && c->ssl->buf->start) {
3a0132e2be2c fix segfault introduced in r1780 Igor Sysoev <igor@sysoev.ru> parents: 1779 diff changeset	2425 if (ngx_pfree(c->pool, c->ssl->buf->start) == NGX_OK) {
3a0132e2be2c fix segfault introduced in r1780 Igor Sysoev <igor@sysoev.ru> parents: 1779 diff changeset	2426 c->ssl->buf->start = NULL;
3a0132e2be2c fix segfault introduced in r1780 Igor Sysoev <igor@sysoev.ru> parents: 1779 diff changeset	2427 }
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2428 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2429 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2430
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	2431
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	2432 ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	2433 ngx_ssl_shutdown(ngx_connection_t *c)
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2434 {
1754 427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	2435 int n, sslerr, mode;
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	2436 ngx_err_t err;
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2437
6407 062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	2438 if (SSL_in_init(c->ssl->connection)) {
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	2439 /*
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	2440 * OpenSSL 1.0.2f complains if SSL_shutdown() is called during
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	2441 * an SSL handshake, while previous versions always return 0.
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	2442 * Avoid calling SSL_shutdown() if handshake wasn't completed.
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	2443 */
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	2444
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	2445 SSL_free(c->ssl->connection);
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	2446 c->ssl = NULL;
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	2447
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	2448 return NGX_OK;
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	2449 }
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	2450
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2451 if (c->timedout) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2452 mode = SSL_RECEIVED_SHUTDOWN\|SSL_SENT_SHUTDOWN;
4064 5b776ad53c3c Proper SSL shutdown handling. Maxim Dounin <mdounin@mdounin.ru> parents: 3992 diff changeset	2453 SSL_set_quiet_shutdown(c->ssl->connection, 1);
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	2454
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2455 } else {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2456 mode = SSL_get_shutdown(c->ssl->connection);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	2457
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2458 if (c->ssl->no_wait_shutdown) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2459 mode \|= SSL_RECEIVED_SHUTDOWN;
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	2460 }
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	2461
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2462 if (c->ssl->no_send_shutdown) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2463 mode \|= SSL_SENT_SHUTDOWN;
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	2464 }
4064 5b776ad53c3c Proper SSL shutdown handling. Maxim Dounin <mdounin@mdounin.ru> parents: 3992 diff changeset	2465
5b776ad53c3c Proper SSL shutdown handling. Maxim Dounin <mdounin@mdounin.ru> parents: 3992 diff changeset	2466 if (c->ssl->no_wait_shutdown && c->ssl->no_send_shutdown) {
5b776ad53c3c Proper SSL shutdown handling. Maxim Dounin <mdounin@mdounin.ru> parents: 3992 diff changeset	2467 SSL_set_quiet_shutdown(c->ssl->connection, 1);
5b776ad53c3c Proper SSL shutdown handling. Maxim Dounin <mdounin@mdounin.ru> parents: 3992 diff changeset	2468 }
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2469 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2470
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2471 SSL_set_shutdown(c->ssl->connection, mode);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2472
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2473 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2474
1754 427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	2475 n = SSL_shutdown(c->ssl->connection);
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	2476
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	2477 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n);
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	2478
461 a88a3e4e158f nginx-0.1.5-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 455 diff changeset	2479 sslerr = 0;
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2480
6406 d194cad6dd3a SSL: fixed SSL_shutdown() comment. Maxim Dounin <mdounin@mdounin.ru> parents: 6261 diff changeset	2481 /* before 0.9.8m SSL_shutdown() returned 0 instead of -1 on errors */
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	2482
1865 4bcbb0fe5c8d fix bogus crit log message "SSL_shutdown() failed" introduced in r1755 Igor Sysoev <igor@sysoev.ru> parents: 1861 diff changeset	2483 if (n != 1 && ERR_peek_error()) {
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	2484 sslerr = SSL_get_error(c->ssl->connection, n);
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2485
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	2486 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	2487 "SSL_get_error: %d", sslerr);
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2488 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2489
1865 4bcbb0fe5c8d fix bogus crit log message "SSL_shutdown() failed" introduced in r1755 Igor Sysoev <igor@sysoev.ru> parents: 1861 diff changeset	2490 if (n == 1 \|\| sslerr == 0 \|\| sslerr == SSL_ERROR_ZERO_RETURN) {
1754 427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	2491 SSL_free(c->ssl->connection);
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	2492 c->ssl = NULL;
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	2493
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	2494 return NGX_OK;
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	2495 }
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	2496
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	2497 if (sslerr == SSL_ERROR_WANT_READ \|\| sslerr == SSL_ERROR_WANT_WRITE) {
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2498 c->read->handler = ngx_ssl_shutdown_handler;
589 d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	2499 c->write->handler = ngx_ssl_shutdown_handler;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2500
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	2501 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2502 return NGX_ERROR;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2503 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2504
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	2505 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2506 return NGX_ERROR;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2507 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2508
1754 427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	2509 if (sslerr == SSL_ERROR_WANT_READ) {
589 d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	2510 ngx_add_timer(c->read, 30000);
d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	2511 }
d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	2512
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2513 return NGX_AGAIN;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2514 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2515
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	2516 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	2517
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	2518 ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed");
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2519
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	2520 SSL_free(c->ssl->connection);
511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	2521 c->ssl = NULL;
511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	2522
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2523 return NGX_ERROR;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2524 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2525
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	2526
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2527 static void
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2528 ngx_ssl_shutdown_handler(ngx_event_t *ev)
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2529 {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2530 ngx_connection_t *c;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2531 ngx_connection_handler_pt handler;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2532
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2533 c = ev->data;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2534 handler = c->ssl->handler;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2535
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2536 if (ev->timedout) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2537 c->timedout = 1;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2538 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2539
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2540 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler");
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2541
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2542 if (ngx_ssl_shutdown(c) == NGX_AGAIN) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2543 return;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2544 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2545
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2546 handler(c);
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2547 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2548
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2549
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2550 static void
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2551 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2552 char *text)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2553 {
1876 5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2554 int n;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2555 ngx_uint_t level;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2556
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2557 level = NGX_LOG_CRIT;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2558
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2559 if (sslerr == SSL_ERROR_SYSCALL) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2560
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2561 if (err == NGX_ECONNRESET
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2562 \|\| err == NGX_EPIPE
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2563 \|\| err == NGX_ENOTCONN
589 d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	2564 \|\| err == NGX_ETIMEDOUT
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2565 \|\| err == NGX_ECONNREFUSED
1869 192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN Igor Sysoev <igor@sysoev.ru> parents: 1868 diff changeset	2566 \|\| err == NGX_ENETDOWN
192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN Igor Sysoev <igor@sysoev.ru> parents: 1868 diff changeset	2567 \|\| err == NGX_ENETUNREACH
192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN Igor Sysoev <igor@sysoev.ru> parents: 1868 diff changeset	2568 \|\| err == NGX_EHOSTDOWN
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2569 \|\| err == NGX_EHOSTUNREACH)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2570 {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2571 switch (c->log_error) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2572
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2573 case NGX_ERROR_IGNORE_ECONNRESET:
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2574 case NGX_ERROR_INFO:
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2575 level = NGX_LOG_INFO;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2576 break;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2577
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2578 case NGX_ERROR_ERR:
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2579 level = NGX_LOG_ERR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2580 break;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2581
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2582 default:
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2583 break;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2584 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2585 }
1876 5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2586
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2587 } else if (sslerr == SSL_ERROR_SSL) {
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2588
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2589 n = ERR_GET_REASON(ERR_peek_error());
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2590
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2591 /* handshake failures */
4228 5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2592 if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */
7360 8f25a44d9add SSL: logging level of "no suitable key share". Maxim Dounin <mdounin@mdounin.ru> parents: 7357 diff changeset	2593 #ifdef SSL_R_NO_SUITABLE_KEY_SHARE
8f25a44d9add SSL: logging level of "no suitable key share". Maxim Dounin <mdounin@mdounin.ru> parents: 7357 diff changeset	2594 \|\| n == SSL_R_NO_SUITABLE_KEY_SHARE /* 101 */
8f25a44d9add SSL: logging level of "no suitable key share". Maxim Dounin <mdounin@mdounin.ru> parents: 7357 diff changeset	2595 #endif
7361 c09c7d47acb9 SSL: logging level of "no suitable signature algorithm". Maxim Dounin <mdounin@mdounin.ru> parents: 7360 diff changeset	2596 #ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM
c09c7d47acb9 SSL: logging level of "no suitable signature algorithm". Maxim Dounin <mdounin@mdounin.ru> parents: 7360 diff changeset	2597 \|\| n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM /* 118 */
c09c7d47acb9 SSL: logging level of "no suitable signature algorithm". Maxim Dounin <mdounin@mdounin.ru> parents: 7360 diff changeset	2598 #endif
4228 5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2599 \|\| n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */
3718 bfd84b583868 decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3516 diff changeset	2600 \|\| n == SSL_R_DIGEST_CHECK_FAILED /* 149 */
4228 5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2601 \|\| n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2602 \|\| n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */
7311 778358452a81 SSL: logging level of "https proxy request" errors. Maxim Dounin <mdounin@mdounin.ru> parents: 7291 diff changeset	2603 \|\| n == SSL_R_HTTPS_PROXY_REQUEST /* 155 */
778358452a81 SSL: logging level of "https proxy request" errors. Maxim Dounin <mdounin@mdounin.ru> parents: 7291 diff changeset	2604 \|\| n == SSL_R_HTTP_REQUEST /* 156 */
3455 028f0892e0cd decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3357 diff changeset	2605 \|\| n == SSL_R_LENGTH_MISMATCH /* 159 */
6652 1891b2892b68 SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6591 diff changeset	2606 #ifdef SSL_R_NO_CIPHERS_PASSED
2315 31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2607 \|\| n == SSL_R_NO_CIPHERS_PASSED /* 182 */
6652 1891b2892b68 SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6591 diff changeset	2608 #endif
3455 028f0892e0cd decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3357 diff changeset	2609 \|\| n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */
4228 5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2610 \|\| n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */
2315 31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2611 \|\| n == SSL_R_NO_SHARED_CIPHER /* 193 */
3455 028f0892e0cd decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3357 diff changeset	2612 \|\| n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
4228 5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2613 #ifdef SSL_R_PARSE_TLSEXT
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2614 \|\| n == SSL_R_PARSE_TLSEXT /* 227 */
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2615 #endif
2315 31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2616 \|\| n == SSL_R_UNEXPECTED_MESSAGE /* 244 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2617 \|\| n == SSL_R_UNEXPECTED_RECORD /* 245 */
3455 028f0892e0cd decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3357 diff changeset	2618 \|\| n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */
3357 fc735aa50b8b decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3300 diff changeset	2619 \|\| n == SSL_R_UNKNOWN_PROTOCOL /* 252 */
7361 c09c7d47acb9 SSL: logging level of "no suitable signature algorithm". Maxim Dounin <mdounin@mdounin.ru> parents: 7360 diff changeset	2620 #ifdef SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS
c09c7d47acb9 SSL: logging level of "no suitable signature algorithm". Maxim Dounin <mdounin@mdounin.ru> parents: 7360 diff changeset	2621 \|\| n == SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS /* 253 */
c09c7d47acb9 SSL: logging level of "no suitable signature algorithm". Maxim Dounin <mdounin@mdounin.ru> parents: 7360 diff changeset	2622 #endif
7317 6565f0dbe8c5 SSL: logging levels of "unsupported protocol", "version too low". Maxim Dounin <mdounin@mdounin.ru> parents: 7311 diff changeset	2623 \|\| n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */
7360 8f25a44d9add SSL: logging level of "no suitable key share". Maxim Dounin <mdounin@mdounin.ru> parents: 7357 diff changeset	2624 #ifdef SSL_R_NO_SHARED_GROUP
8f25a44d9add SSL: logging level of "no suitable key share". Maxim Dounin <mdounin@mdounin.ru> parents: 7357 diff changeset	2625 \|\| n == SSL_R_NO_SHARED_GROUP /* 266 */
8f25a44d9add SSL: logging level of "no suitable key share". Maxim Dounin <mdounin@mdounin.ru> parents: 7357 diff changeset	2626 #endif
2315 31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2627 \|\| n == SSL_R_WRONG_VERSION_NUMBER /* 267 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2628 \|\| n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */
4228 5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2629 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2630 \|\| n == SSL_R_RENEGOTIATE_EXT_TOO_LONG /* 335 */
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2631 \|\| n == SSL_R_RENEGOTIATION_ENCODING_ERR /* 336 */
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2632 \|\| n == SSL_R_RENEGOTIATION_MISMATCH /* 337 */
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2633 #endif
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2634 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2635 \|\| n == SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED /* 338 */
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2636 #endif
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2637 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2638 \|\| n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2639 #endif
5902 b7a37f6a25ea SSL: logging level of "inappropriate fallback" (ticket #662). Maxim Dounin <mdounin@mdounin.ru> parents: 5892 diff changeset	2640 #ifdef SSL_R_INAPPROPRIATE_FALLBACK
b7a37f6a25ea SSL: logging level of "inappropriate fallback" (ticket #662). Maxim Dounin <mdounin@mdounin.ru> parents: 5892 diff changeset	2641 \|\| n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */
b7a37f6a25ea SSL: logging level of "inappropriate fallback" (ticket #662). Maxim Dounin <mdounin@mdounin.ru> parents: 5892 diff changeset	2642 #endif
7317 6565f0dbe8c5 SSL: logging levels of "unsupported protocol", "version too low". Maxim Dounin <mdounin@mdounin.ru> parents: 7311 diff changeset	2643 #ifdef SSL_R_VERSION_TOO_LOW
6565f0dbe8c5 SSL: logging levels of "unsupported protocol", "version too low". Maxim Dounin <mdounin@mdounin.ru> parents: 7311 diff changeset	2644 \|\| n == SSL_R_VERSION_TOO_LOW /* 396 */
6565f0dbe8c5 SSL: logging levels of "unsupported protocol", "version too low". Maxim Dounin <mdounin@mdounin.ru> parents: 7311 diff changeset	2645 #endif
1877 a55876dff8f5 low SSL handshake close notify alert error level Igor Sysoev <igor@sysoev.ru> parents: 1876 diff changeset	2646 \|\| n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
6486 978ad80b3732 SSL: guarded error codes not present in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6485 diff changeset	2647 #ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE
2315 31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2648 \|\| n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2649 \|\| n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2650 \|\| n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2651 \|\| n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2652 \|\| n == SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE /* 1030 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2653 \|\| n == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE /* 1040 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2654 \|\| n == SSL_R_SSLV3_ALERT_NO_CERTIFICATE /* 1041 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2655 \|\| n == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE /* 1042 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2656 \|\| n == SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE /* 1043 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2657 \|\| n == SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED /* 1044 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2658 \|\| n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED /* 1045 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2659 \|\| n == SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN /* 1046 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2660 \|\| n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER /* 1047 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2661 \|\| n == SSL_R_TLSV1_ALERT_UNKNOWN_CA /* 1048 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2662 \|\| n == SSL_R_TLSV1_ALERT_ACCESS_DENIED /* 1049 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2663 \|\| n == SSL_R_TLSV1_ALERT_DECODE_ERROR /* 1050 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2664 \|\| n == SSL_R_TLSV1_ALERT_DECRYPT_ERROR /* 1051 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2665 \|\| n == SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION /* 1060 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2666 \|\| n == SSL_R_TLSV1_ALERT_PROTOCOL_VERSION /* 1070 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2667 \|\| n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2668 \|\| n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2669 \|\| n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */
6486 978ad80b3732 SSL: guarded error codes not present in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6485 diff changeset	2670 \|\| n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION /* 1100 */
978ad80b3732 SSL: guarded error codes not present in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6485 diff changeset	2671 #endif
978ad80b3732 SSL: guarded error codes not present in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6485 diff changeset	2672 )
1876 5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2673 {
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2674 switch (c->log_error) {
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2675
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2676 case NGX_ERROR_IGNORE_ECONNRESET:
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2677 case NGX_ERROR_INFO:
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2678 level = NGX_LOG_INFO;
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2679 break;
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2680
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2681 case NGX_ERROR_ERR:
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2682 level = NGX_LOG_ERR;
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2683 break;
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2684
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2685 default:
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2686 break;
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2687 }
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2688 }
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2689 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2690
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2691 ngx_ssl_error(level, c->log, err, text);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2692 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2693
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2694
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2695 static void
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2696 ngx_ssl_clear_error(ngx_log_t *log)
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2697 {
1868 c2cd0720f292 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1865 diff changeset	2698 while (ERR_peek_error()) {
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2699 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error");
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2700 }
1868 c2cd0720f292 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1865 diff changeset	2701
c2cd0720f292 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1865 diff changeset	2702 ERR_clear_error();
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2703 }
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2704
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2705
583 4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	2706 void ngx_cdecl
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	2707 ngx_ssl_error(ngx_uint_t level, ngx_log_t log, ngx_err_t err, char fmt, ...)
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2708 {
4877 f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2709 int flags;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2710 u_long n;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2711 va_list args;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2712 u_char p, last;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2713 u_char errstr[NGX_MAX_CONF_ERRSTR];
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2714 const char *data;
461 a88a3e4e158f nginx-0.1.5-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 455 diff changeset	2715
a88a3e4e158f nginx-0.1.5-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 455 diff changeset	2716 last = errstr + NGX_MAX_CONF_ERRSTR;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2717
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2718 va_start(args, fmt);
2764 d4a717592877 use ngx_vslprintf(), ngx_slprintf() Igor Sysoev <igor@sysoev.ru> parents: 2720 diff changeset	2719 p = ngx_vslprintf(errstr, last - 1, fmt, args);
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2720 va_end(args);
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2721
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2722 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2723
1861 f00b30557c81 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1860 diff changeset	2724 for ( ;; ) {
583 4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	2725
4877 f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2726 n = ERR_peek_error_line_data(NULL, NULL, &data, &flags);
583 4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	2727
4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	2728 if (n == 0) {
4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	2729 break;
4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	2730 }
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2731
6775 8081e1f3ab8b SSL: overcame possible buffer over-read in ngx_ssl_error(). Valentin Bartenev <vbart@nginx.com> parents: 6725 diff changeset	2732 /* ERR_error_string_n() requires at least one byte */
8081e1f3ab8b SSL: overcame possible buffer over-read in ngx_ssl_error(). Valentin Bartenev <vbart@nginx.com> parents: 6725 diff changeset	2733
8081e1f3ab8b SSL: overcame possible buffer over-read in ngx_ssl_error(). Valentin Bartenev <vbart@nginx.com> parents: 6725 diff changeset	2734 if (p >= last - 1) {
4877 f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2735 goto next;
1861 f00b30557c81 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1860 diff changeset	2736 }
f00b30557c81 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1860 diff changeset	2737
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2738 *p++ = ' ';
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2739
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2740 ERR_error_string_n(n, (char *) p, last - p);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2741
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2742 while (p < last && *p) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2743 p++;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2744 }
4877 f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2745
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2746 if (p < last && *data && (flags & ERR_TXT_STRING)) {
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2747 *p++ = ':';
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2748 p = ngx_cpystrn(p, (u_char *) data, last - p);
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2749 }
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2750
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2751 next:
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2752
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2753 (void) ERR_get_error();
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2754 }
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2755
6259 2f34ea503ac4 SSL: handled long string truncation in ngx_ssl_error(). Vladimir Homutov <vl@nginx.com> parents: 6255 diff changeset	2756 ngx_log_error(level, log, err, "%*s)", p - errstr, errstr);
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2757 }
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	2758
9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	2759
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2760 ngx_int_t
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2761 ngx_ssl_session_cache(ngx_ssl_t ssl, ngx_str_t sess_ctx,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2762 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2763 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2764 long cache_mode;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2765
5424 767aa37f12de SSL: SSL_CTX_set_timeout() now always called. Maxim Dounin <mdounin@mdounin.ru> parents: 5423 diff changeset	2766 SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
767aa37f12de SSL: SSL_CTX_set_timeout() now always called. Maxim Dounin <mdounin@mdounin.ru> parents: 5423 diff changeset	2767
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2768 if (ngx_ssl_session_id_context(ssl, sess_ctx) != NGX_OK) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2769 return NGX_ERROR;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2770 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2771
1778 14510c3cc6cb ssl_session_cache off Igor Sysoev <igor@sysoev.ru> parents: 1760 diff changeset	2772 if (builtin_session_cache == NGX_SSL_NO_SCACHE) {
14510c3cc6cb ssl_session_cache off Igor Sysoev <igor@sysoev.ru> parents: 1760 diff changeset	2773 SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF);
14510c3cc6cb ssl_session_cache off Igor Sysoev <igor@sysoev.ru> parents: 1760 diff changeset	2774 return NGX_OK;
14510c3cc6cb ssl_session_cache off Igor Sysoev <igor@sysoev.ru> parents: 1760 diff changeset	2775 }
14510c3cc6cb ssl_session_cache off Igor Sysoev <igor@sysoev.ru> parents: 1760 diff changeset	2776
2032 12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2777 if (builtin_session_cache == NGX_SSL_NONE_SCACHE) {
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2778
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2779 /*
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2780 * If the server explicitly says that it does not support
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2781 * session reuse (see SSL_SESS_CACHE_OFF above), then
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2782 * Outlook Express fails to upload a sent email to
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2783 * the Sent Items folder on the IMAP server via a separate IMAP
6552 addd98357629 SSL: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6551 diff changeset	2784 * connection in the background. Therefore we have a special
2032 12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2785 * mode (SSL_SESS_CACHE_SERVER\|SSL_SESS_CACHE_NO_INTERNAL_STORE)
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2786 * where the server pretends that it supports session reuse,
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2787 * but it does not actually store any session.
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2788 */
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2789
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2790 SSL_CTX_set_session_cache_mode(ssl->ctx,
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2791 SSL_SESS_CACHE_SERVER
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2792 \|SSL_SESS_CACHE_NO_AUTO_CLEAR
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2793 \|SSL_SESS_CACHE_NO_INTERNAL_STORE);
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2794
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2795 SSL_CTX_sess_set_cache_size(ssl->ctx, 1);
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2796
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2797 return NGX_OK;
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2798 }
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2799
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2800 cache_mode = SSL_SESS_CACHE_SERVER;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2801
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2802 if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2803 cache_mode \|= SSL_SESS_CACHE_NO_INTERNAL;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2804 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2805
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2806 SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2807
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2808 if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2809
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2810 if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2811 SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2812 }
1015 32ebb6b13ff3 ssl_session_timeout was set only if builtin cache was used Igor Sysoev <igor@sysoev.ru> parents: 1014 diff changeset	2813 }
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2814
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2815 if (shm_zone) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2816 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2817 SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2818 SSL_CTX_sess_set_remove_cb(ssl->ctx, ngx_ssl_remove_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2819
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2820 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_cache_index, shm_zone)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2821 == 0)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2822 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2823 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2824 "SSL_CTX_set_ex_data() failed");
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2825 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2826 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2827 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2828
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2829 return NGX_OK;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2830 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2831
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2832
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2833 static ngx_int_t
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2834 ngx_ssl_session_id_context(ngx_ssl_t ssl, ngx_str_t sess_ctx)
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2835 {
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2836 int n, i;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2837 X509 *cert;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2838 X509_NAME *name;
6490 ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2839 EVP_MD_CTX *md;
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2840 unsigned int len;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2841 STACK_OF(X509_NAME) *list;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2842 u_char buf[EVP_MAX_MD_SIZE];
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2843
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2844 /*
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2845 * Session ID context is set based on the string provided,
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2846 * the server certificates, and the client CA list.
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2847 */
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2848
6490 ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2849 md = EVP_MD_CTX_create();
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2850 if (md == NULL) {
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2851 return NGX_ERROR;
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2852 }
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2853
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2854 if (EVP_DigestInit_ex(md, EVP_sha1(), NULL) == 0) {
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2855 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2856 "EVP_DigestInit_ex() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2857 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2858 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2859
6490 ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2860 if (EVP_DigestUpdate(md, sess_ctx->data, sess_ctx->len) == 0) {
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2861 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2862 "EVP_DigestUpdate() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2863 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2864 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2865
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2866 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2867 cert;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2868 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2869 {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2870 if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2871 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2872 "X509_digest() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2873 goto failed;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2874 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2875
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2876 if (EVP_DigestUpdate(md, buf, len) == 0) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2877 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2878 "EVP_DigestUpdate() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2879 goto failed;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2880 }
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2881 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2882
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2883 list = SSL_CTX_get_client_CA_list(ssl->ctx);
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2884
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2885 if (list != NULL) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2886 n = sk_X509_NAME_num(list);
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2887
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2888 for (i = 0; i < n; i++) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2889 name = sk_X509_NAME_value(list, i);
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2890
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2891 if (X509_NAME_digest(name, EVP_sha1(), buf, &len) == 0) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2892 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2893 "X509_NAME_digest() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2894 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2895 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2896
6490 ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2897 if (EVP_DigestUpdate(md, buf, len) == 0) {
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2898 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2899 "EVP_DigestUpdate() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2900 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2901 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2902 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2903 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2904
6490 ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2905 if (EVP_DigestFinal_ex(md, buf, &len) == 0) {
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2906 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2907 "EVP_DigestUpdate() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2908 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2909 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2910
6490 ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2911 EVP_MD_CTX_destroy(md);
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2912
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2913 if (SSL_CTX_set_session_id_context(ssl->ctx, buf, len) == 0) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2914 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2915 "SSL_CTX_set_session_id_context() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2916 return NGX_ERROR;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2917 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2918
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2919 return NGX_OK;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2920
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2921 failed:
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2922
6490 ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2923 EVP_MD_CTX_destroy(md);
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2924
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2925 return NGX_ERROR;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2926 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2927
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2928
3992 a1dd9dc754ab A new fix for the case when ssl_session_cache defined, but ssl is not Igor Sysoev <igor@sysoev.ru> parents: 3962 diff changeset	2929 ngx_int_t
993 1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	2930 ngx_ssl_session_cache_init(ngx_shm_zone_t shm_zone, void data)
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2931 {
2611 2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2932 size_t len;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2933 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2934 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2935
993 1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	2936 if (data) {
1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	2937 shm_zone->data = data;
1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	2938 return NGX_OK;
1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	2939 }
1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	2940
5640 4c6ceca4f5f7 Win32: fixed shared ssl_session_cache (ticket #528). Maxim Dounin <mdounin@mdounin.ru> parents: 5634 diff changeset	2941 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
4c6ceca4f5f7 Win32: fixed shared ssl_session_cache (ticket #528). Maxim Dounin <mdounin@mdounin.ru> parents: 5634 diff changeset	2942
2720 b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	2943 if (shm_zone->shm.exists) {
5640 4c6ceca4f5f7 Win32: fixed shared ssl_session_cache (ticket #528). Maxim Dounin <mdounin@mdounin.ru> parents: 5634 diff changeset	2944 shm_zone->data = shpool->data;
2720 b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	2945 return NGX_OK;
b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	2946 }
b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	2947
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2948 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t));
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2949 if (cache == NULL) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2950 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2951 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2952
2720 b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	2953 shpool->data = cache;
b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	2954 shm_zone->data = cache;
b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	2955
1759 89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	2956 ngx_rbtree_init(&cache->session_rbtree, &cache->sentinel,
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	2957 ngx_ssl_session_rbtree_insert_value);
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	2958
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	2959 ngx_queue_init(&cache->expire_queue);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2960
2716 d5896f6608e8 move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2710 diff changeset	2961 len = sizeof(" in SSL session shared cache \"\"") + shm_zone->shm.name.len;
2611 2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2962
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2963 shpool->log_ctx = ngx_slab_alloc(shpool, len);
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2964 if (shpool->log_ctx == NULL) {
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2965 return NGX_ERROR;
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2966 }
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2967
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2968 ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z",
2716 d5896f6608e8 move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2710 diff changeset	2969 &shm_zone->shm.name);
2611 2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2970
5634 5024d29354f1 Core: slab log_nomem flag. Maxim Dounin <mdounin@mdounin.ru> parents: 5573 diff changeset	2971 shpool->log_nomem = 0;
5024d29354f1 Core: slab log_nomem flag. Maxim Dounin <mdounin@mdounin.ru> parents: 5573 diff changeset	2972
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2973 return NGX_OK;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2974 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2975
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2976
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2977 /*
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	2978 * The length of the session id is 16 bytes for SSLv2 sessions and
5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	2979 * between 1 and 32 bytes for SSLv3/TLSv1, typically 32 bytes.
5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	2980 * It seems that the typical length of the external ASN1 representation
5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	2981 * of a session is 118 or 119 bytes for SSLv3/TSLv1.
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2982 *
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2983 * Thus on 32-bit platforms we allocate separately an rbtree node,
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2984 * a session id, and an ASN1 representation, they take accordingly
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2985 * 64, 32, and 128 bytes.
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2986 *
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2987 * On 64-bit platforms we allocate separately an rbtree node + session_id,
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2988 * and an ASN1 representation, they take accordingly 128 and 128 bytes.
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	2989 *
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2990 * OpenSSL's i2d_SSL_SESSION() and d2i_SSL_SESSION are slow,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2991 * so they are outside the code locked by shared pool mutex
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2992 */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2993
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2994 static int
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2995 ngx_ssl_new_session(ngx_ssl_conn_t ssl_conn, ngx_ssl_session_t sess)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2996 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2997 int len;
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2998 u_char p, id, cached_sess, session_id;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2999 uint32_t hash;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3000 SSL_CTX *ssl_ctx;
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3001 unsigned int session_id_length;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3002 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3003 ngx_connection_t *c;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3004 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3005 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3006 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3007 u_char buf[NGX_SSL_MAX_SESSION_SIZE];
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3008
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3009 len = i2d_SSL_SESSION(sess, NULL);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3010
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3011 /* do not cache too big session */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3012
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3013 if (len > (int) NGX_SSL_MAX_SESSION_SIZE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3014 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3015 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3016
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3017 p = buf;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3018 i2d_SSL_SESSION(sess, &p);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3019
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3020 c = ngx_ssl_get_connection(ssl_conn);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3021
6261 97f102a13f33 SSL: preserve default server context in connection (ticket #235). Maxim Dounin <mdounin@mdounin.ru> parents: 6259 diff changeset	3022 ssl_ctx = c->ssl->session_ctx;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3023 shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3024
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3025 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3026 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3027
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3028 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3029
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3030 /* drop one or two expired sessions */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3031 ngx_ssl_expire_sessions(cache, shpool, 1);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3032
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	3033 cached_sess = ngx_slab_alloc_locked(shpool, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3034
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3035 if (cached_sess == NULL) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3036
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3037 /* drop the oldest non-expired session and try once more */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3038
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3039 ngx_ssl_expire_sessions(cache, shpool, 0);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3040
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	3041 cached_sess = ngx_slab_alloc_locked(shpool, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3042
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3043 if (cached_sess == NULL) {
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3044 sess_id = NULL;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3045 goto failed;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3046 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3047 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3048
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3049 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t));
5081 bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3050
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3051 if (sess_id == NULL) {
5081 bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3052
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3053 /* drop the oldest non-expired session and try once more */
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3054
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3055 ngx_ssl_expire_sessions(cache, shpool, 0);
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3056
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3057 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t));
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3058
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3059 if (sess_id == NULL) {
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3060 goto failed;
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3061 }
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3062 }
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3063
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3064 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3065
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3066 session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3067
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3068 #else
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3069
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3070 session_id = sess->session_id;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3071 session_id_length = sess->session_id_length;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3072
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3073 #endif
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3074
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3075 #if (NGX_PTR_SIZE == 8)
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3076
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3077 id = sess_id->sess_id;
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3078
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3079 #else
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3080
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3081 id = ngx_slab_alloc_locked(shpool, session_id_length);
5081 bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3082
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3083 if (id == NULL) {
5081 bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3084
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3085 /* drop the oldest non-expired session and try once more */
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3086
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3087 ngx_ssl_expire_sessions(cache, shpool, 0);
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3088
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3089 id = ngx_slab_alloc_locked(shpool, session_id_length);
5081 bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3090
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3091 if (id == NULL) {
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3092 goto failed;
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	3093 }
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3094 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3095
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3096 #endif
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3097
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	3098 ngx_memcpy(cached_sess, buf, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3099
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3100 ngx_memcpy(id, session_id, session_id_length);
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3101
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3102 hash = ngx_crc32_short(session_id, session_id_length);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3103
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3104 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3105 "ssl new session: %08XD:%ud:%d",
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3106 hash, session_id_length, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3107
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3108 sess_id->node.key = hash;
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3109 sess_id->node.data = (u_char) session_id_length;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3110 sess_id->id = id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3111 sess_id->len = len;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3112 sess_id->session = cached_sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3113
1757 7ab8bd535eed use ngx_time() instead of ngx_timeofday() Igor Sysoev <igor@sysoev.ru> parents: 1756 diff changeset	3114 sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3115
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	3116 ngx_queue_insert_head(&cache->expire_queue, &sess_id->queue);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3117
1759 89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	3118 ngx_rbtree_insert(&cache->session_rbtree, &sess_id->node);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3119
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3120 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3121
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3122 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3123
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3124 failed:
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3125
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3126 if (cached_sess) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3127 ngx_slab_free_locked(shpool, cached_sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3128 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3129
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3130 if (sess_id) {
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3131 ngx_slab_free_locked(shpool, sess_id);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3132 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3133
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3134 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3135
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3136 ngx_log_error(NGX_LOG_ALERT, c->log, 0,
5634 5024d29354f1 Core: slab log_nomem flag. Maxim Dounin <mdounin@mdounin.ru> parents: 5573 diff changeset	3137 "could not allocate new session%s", shpool->log_ctx);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3138
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3139 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3140 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3141
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3142
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3143 static ngx_ssl_session_t *
6487 9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	3144 ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	3145 #if OPENSSL_VERSION_NUMBER >= 0x10100003L
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	3146 const
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	3147 #endif
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	3148 u_char id, int len, int copy)
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3149 {
989 5595e47d4f17 d2i_SSL_SESSION() was changed in 0.9.7f Igor Sysoev <igor@sysoev.ru> parents: 974 diff changeset	3150 #if OPENSSL_VERSION_NUMBER >= 0x0090707fL
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3151 const
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3152 #endif
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3153 u_char *p;
7365 cd4fa2fab8d8 SSL: fixed unlocked access to sess_id->len. Ruslan Ermilov <ru@nginx.com> parents: 7361 diff changeset	3154 size_t slen;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3155 uint32_t hash;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3156 ngx_int_t rc;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3157 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3158 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3159 ngx_rbtree_node_t node, sentinel;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3160 ngx_ssl_session_t *sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3161 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3162 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3163 u_char buf[NGX_SSL_MAX_SESSION_SIZE];
3961 4048aa055411 fix build by gcc46 with -Wunused-value option Igor Sysoev <igor@sysoev.ru> parents: 3960 diff changeset	3164 ngx_connection_t *c;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3165
6487 9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	3166 hash = ngx_crc32_short((u_char *) (uintptr_t) id, (size_t) len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3167 *copy = 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3168
3961 4048aa055411 fix build by gcc46 with -Wunused-value option Igor Sysoev <igor@sysoev.ru> parents: 3960 diff changeset	3169 c = ngx_ssl_get_connection(ssl_conn);
4048aa055411 fix build by gcc46 with -Wunused-value option Igor Sysoev <igor@sysoev.ru> parents: 3960 diff changeset	3170
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3171 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
3155 e720c4a68ee0 fix debug log message Igor Sysoev <igor@sysoev.ru> parents: 3154 diff changeset	3172 "ssl get session: %08XD:%d", hash, len);
6261 97f102a13f33 SSL: preserve default server context in connection (ticket #235). Maxim Dounin <mdounin@mdounin.ru> parents: 6259 diff changeset	3173
97f102a13f33 SSL: preserve default server context in connection (ticket #235). Maxim Dounin <mdounin@mdounin.ru> parents: 6259 diff changeset	3174 shm_zone = SSL_CTX_get_ex_data(c->ssl->session_ctx,
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3175 ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3176
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3177 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3178
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3179 sess = NULL;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3180
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3181 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3182
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3183 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3184
1759 89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	3185 node = cache->session_rbtree.root;
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	3186 sentinel = cache->session_rbtree.sentinel;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3187
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3188 while (node != sentinel) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3189
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3190 if (hash < node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3191 node = node->left;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3192 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3193 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3194
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3195 if (hash > node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3196 node = node->right;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3197 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3198 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3199
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	3200 /* hash == node->key */
7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	3201
4497 95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3202 sess_id = (ngx_ssl_sess_id_t *) node;
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3203
6487 9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	3204 rc = ngx_memn2cmp((u_char *) (uintptr_t) id, sess_id->id,
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	3205 (size_t) len, (size_t) node->data);
4497 95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3206
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3207 if (rc == 0) {
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3208
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3209 if (sess_id->expire > ngx_time()) {
7365 cd4fa2fab8d8 SSL: fixed unlocked access to sess_id->len. Ruslan Ermilov <ru@nginx.com> parents: 7361 diff changeset	3210 slen = sess_id->len;
cd4fa2fab8d8 SSL: fixed unlocked access to sess_id->len. Ruslan Ermilov <ru@nginx.com> parents: 7361 diff changeset	3211
cd4fa2fab8d8 SSL: fixed unlocked access to sess_id->len. Ruslan Ermilov <ru@nginx.com> parents: 7361 diff changeset	3212 ngx_memcpy(buf, sess_id->session, slen);
4497 95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3213
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3214 ngx_shmtx_unlock(&shpool->mutex);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3215
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3216 p = buf;
7365 cd4fa2fab8d8 SSL: fixed unlocked access to sess_id->len. Ruslan Ermilov <ru@nginx.com> parents: 7361 diff changeset	3217 sess = d2i_SSL_SESSION(NULL, &p, slen);
4497 95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3218
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3219 return sess;
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3220 }
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3221
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3222 ngx_queue_remove(&sess_id->queue);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3223
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3224 ngx_rbtree_delete(&cache->session_rbtree, node);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3225
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3226 ngx_slab_free_locked(shpool, sess_id->session);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3227 #if (NGX_PTR_SIZE == 4)
4497 95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3228 ngx_slab_free_locked(shpool, sess_id->id);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3229 #endif
4497 95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3230 ngx_slab_free_locked(shpool, sess_id);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3231
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3232 sess = NULL;
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3233
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3234 goto done;
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3235 }
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3236
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3237 node = (rc < 0) ? node->left : node->right;
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	3238 }
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3239
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	3240 done:
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3241
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3242 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3243
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3244 return sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3245 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3246
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3247
1924 291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	3248 void
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	3249 ngx_ssl_remove_cached_session(SSL_CTX ssl, ngx_ssl_session_t sess)
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	3250 {
6474 2cd019520210 Style. Ruslan Ermilov <ru@nginx.com> parents: 6407 diff changeset	3251 SSL_CTX_remove_session(ssl, sess);
2cd019520210 Style. Ruslan Ermilov <ru@nginx.com> parents: 6407 diff changeset	3252
2cd019520210 Style. Ruslan Ermilov <ru@nginx.com> parents: 6407 diff changeset	3253 ngx_ssl_remove_session(ssl, sess);
1924 291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	3254 }
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	3255
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	3256
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3257 static void
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3258 ngx_ssl_remove_session(SSL_CTX ssl, ngx_ssl_session_t sess)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3259 {
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3260 u_char *id;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3261 uint32_t hash;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3262 ngx_int_t rc;
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3263 unsigned int len;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3264 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3265 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3266 ngx_rbtree_node_t node, sentinel;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3267 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3268 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3269
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3270 shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3271
1924 291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	3272 if (shm_zone == NULL) {
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	3273 return;
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	3274 }
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	3275
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3276 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3277
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3278 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3279
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3280 id = (u_char *) SSL_SESSION_get_id(sess, &len);
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3281
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3282 #else
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3283
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3284 id = sess->session_id;
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3285 len = sess->session_id_length;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3286
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3287 #endif
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3288
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3289 hash = ngx_crc32_short(id, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3290
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3291 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3292 "ssl remove session: %08XD:%ud", hash, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3293
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3294 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3295
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3296 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3297
1759 89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	3298 node = cache->session_rbtree.root;
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	3299 sentinel = cache->session_rbtree.sentinel;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3300
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3301 while (node != sentinel) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3302
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3303 if (hash < node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3304 node = node->left;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3305 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3306 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3307
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3308 if (hash > node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3309 node = node->right;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3310 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3311 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3312
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	3313 /* hash == node->key */
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3314
4497 95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3315 sess_id = (ngx_ssl_sess_id_t *) node;
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3316
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3317 rc = ngx_memn2cmp(id, sess_id->id, len, (size_t) node->data);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3318
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3319 if (rc == 0) {
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3320
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3321 ngx_queue_remove(&sess_id->queue);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3322
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3323 ngx_rbtree_delete(&cache->session_rbtree, node);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3324
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3325 ngx_slab_free_locked(shpool, sess_id->session);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3326 #if (NGX_PTR_SIZE == 4)
4497 95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3327 ngx_slab_free_locked(shpool, sess_id->id);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3328 #endif
4497 95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3329 ngx_slab_free_locked(shpool, sess_id);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3330
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3331 goto done;
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3332 }
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3333
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	3334 node = (rc < 0) ? node->left : node->right;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3335 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3336
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	3337 done:
7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	3338
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3339 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3340 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3341
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3342
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3343 static void
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3344 ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3345 ngx_slab_pool_t *shpool, ngx_uint_t n)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3346 {
1757 7ab8bd535eed use ngx_time() instead of ngx_timeofday() Igor Sysoev <igor@sysoev.ru> parents: 1756 diff changeset	3347 time_t now;
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	3348 ngx_queue_t *q;
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	3349 ngx_ssl_sess_id_t *sess_id;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3350
1757 7ab8bd535eed use ngx_time() instead of ngx_timeofday() Igor Sysoev <igor@sysoev.ru> parents: 1756 diff changeset	3351 now = ngx_time();
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3352
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3353 while (n < 3) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3354
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	3355 if (ngx_queue_empty(&cache->expire_queue)) {
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3356 return;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3357 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3358
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	3359 q = ngx_queue_last(&cache->expire_queue);
49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	3360
49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	3361 sess_id = ngx_queue_data(q, ngx_ssl_sess_id_t, queue);
49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	3362
1757 7ab8bd535eed use ngx_time() instead of ngx_timeofday() Igor Sysoev <igor@sysoev.ru> parents: 1756 diff changeset	3363 if (n++ != 0 && sess_id->expire > now) {
1439 36548ad85be1 style fix Igor Sysoev <igor@sysoev.ru> parents: 1426 diff changeset	3364 return;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3365 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3366
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	3367 ngx_queue_remove(q);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3368
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3369 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3370 "expire session: %08Xi", sess_id->node.key);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3371
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	3372 ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node);
49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	3373
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	3374 ngx_slab_free_locked(shpool, sess_id->session);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3375 #if (NGX_PTR_SIZE == 4)
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3376 ngx_slab_free_locked(shpool, sess_id->id);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	3377 #endif
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3378 ngx_slab_free_locked(shpool, sess_id);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3379 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3380 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3381
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	3382
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3383 static void
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3384 ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3385 ngx_rbtree_node_t node, ngx_rbtree_node_t sentinel)
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3386 {
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	3387 ngx_rbtree_node_t **p;
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	3388 ngx_ssl_sess_id_t sess_id, sess_id_temp;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3389
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3390 for ( ;; ) {
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3391
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3392 if (node->key < temp->key) {
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3393
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	3394 p = &temp->left;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3395
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3396 } else if (node->key > temp->key) {
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3397
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	3398 p = &temp->right;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3399
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3400 } else { /* node->key == temp->key */
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3401
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3402 sess_id = (ngx_ssl_sess_id_t *) node;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3403 sess_id_temp = (ngx_ssl_sess_id_t *) temp;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3404
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	3405 p = (ngx_memn2cmp(sess_id->id, sess_id_temp->id,
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	3406 (size_t) node->data, (size_t) temp->data)
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	3407 < 0) ? &temp->left : &temp->right;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3408 }
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	3409
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	3410 if (*p == sentinel) {
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	3411 break;
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	3412 }
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	3413
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	3414 temp = *p;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3415 }
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3416
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	3417 *p = node;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3418 node->parent = temp;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3419 node->left = sentinel;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3420 node->right = sentinel;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3421 ngx_rbt_red(node);
1043 7073b87fa8e9 style fix: remove trailing spaces Igor Sysoev <igor@sysoev.ru> parents: 1029 diff changeset	3422 }
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3423
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	3424
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3425 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3426
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3427 ngx_int_t
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3428 ngx_ssl_session_ticket_keys(ngx_conf_t cf, ngx_ssl_t ssl, ngx_array_t *paths)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3429 {
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3430 u_char buf[80];
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3431 size_t size;
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3432 ssize_t n;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3433 ngx_str_t *path;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3434 ngx_file_t file;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3435 ngx_uint_t i;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3436 ngx_array_t *keys;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3437 ngx_file_info_t fi;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3438 ngx_ssl_session_ticket_key_t *key;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3439
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3440 if (paths == NULL) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3441 return NGX_OK;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3442 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3443
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3444 keys = ngx_array_create(cf->pool, paths->nelts,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3445 sizeof(ngx_ssl_session_ticket_key_t));
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3446 if (keys == NULL) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3447 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3448 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3449
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3450 path = paths->elts;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3451 for (i = 0; i < paths->nelts; i++) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3452
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3453 if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3454 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3455 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3456
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3457 ngx_memzero(&file, sizeof(ngx_file_t));
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3458 file.name = path[i];
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3459 file.log = cf->log;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3460
7087 47b7ffc3339d Fixed calls to ngx_open_file() in certain places. Sergey Kandaurov <pluknet@nginx.com> parents: 7086 diff changeset	3461 file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY,
47b7ffc3339d Fixed calls to ngx_open_file() in certain places. Sergey Kandaurov <pluknet@nginx.com> parents: 7086 diff changeset	3462 NGX_FILE_OPEN, 0);
7086 577628e6b6a6 Style. Sergey Kandaurov <pluknet@nginx.com> parents: 7074 diff changeset	3463
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3464 if (file.fd == NGX_INVALID_FILE) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3465 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3466 ngx_open_file_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3467 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3468 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3469
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3470 if (ngx_fd_info(file.fd, &fi) == NGX_FILE_ERROR) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3471 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3472 ngx_fd_info_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3473 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3474 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3475
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3476 size = ngx_file_size(&fi);
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3477
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3478 if (size != 48 && size != 80) {
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3479 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3480 "\"%V\" must be 48 or 80 bytes", &file.name);
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3481 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3482 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3483
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3484 n = ngx_read_file(&file, buf, size, 0);
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3485
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3486 if (n == NGX_ERROR) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3487 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3488 ngx_read_file_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3489 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3490 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3491
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3492 if ((size_t) n != size) {
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3493 ngx_conf_log_error(NGX_LOG_CRIT, cf, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3494 ngx_read_file_n " \"%V\" returned only "
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3495 "%z bytes instead of %uz", &file.name, n, size);
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3496 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3497 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3498
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3499 key = ngx_array_push(keys);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3500 if (key == NULL) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3501 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3502 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3503
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3504 if (size == 48) {
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3505 key->size = 48;
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3506 ngx_memcpy(key->name, buf, 16);
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3507 ngx_memcpy(key->aes_key, buf + 16, 16);
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3508 ngx_memcpy(key->hmac_key, buf + 32, 16);
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3509
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3510 } else {
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3511 key->size = 80;
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3512 ngx_memcpy(key->name, buf, 16);
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3513 ngx_memcpy(key->hmac_key, buf + 16, 32);
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3514 ngx_memcpy(key->aes_key, buf + 48, 32);
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3515 }
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3516
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3517 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3518 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3519 ngx_close_file_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3520 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3521 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3522
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3523 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3524 == 0)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3525 {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3526 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3527 "SSL_CTX_set_ex_data() failed");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3528 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3529 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3530
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3531 if (SSL_CTX_set_tlsext_ticket_key_cb(ssl->ctx,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3532 ngx_ssl_session_ticket_key_callback)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3533 == 0)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3534 {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3535 ngx_log_error(NGX_LOG_WARN, cf->log, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3536 "nginx was built with Session Tickets support, however, "
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3537 "now it is linked dynamically to an OpenSSL library "
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3538 "which has no tlsext support, therefore Session Tickets "
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3539 "are not available");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3540 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3541
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3542 return NGX_OK;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3543
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3544 failed:
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3545
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3546 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3547 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3548 ngx_close_file_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3549 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3550
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3551 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3552 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3553
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3554
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3555 static int
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3556 ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3557 unsigned char name, unsigned char iv, EVP_CIPHER_CTX *ectx,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3558 HMAC_CTX *hctx, int enc)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3559 {
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3560 size_t size;
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3561 SSL_CTX *ssl_ctx;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3562 ngx_uint_t i;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3563 ngx_array_t *keys;
6261 97f102a13f33 SSL: preserve default server context in connection (ticket #235). Maxim Dounin <mdounin@mdounin.ru> parents: 6259 diff changeset	3564 ngx_connection_t *c;
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3565 ngx_ssl_session_ticket_key_t *key;
6686 f28e74f02c88 SSL: factored out digest and cipher in session ticket callback. Sergey Kandaurov <pluknet@nginx.com> parents: 6660 diff changeset	3566 const EVP_MD *digest;
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback. Sergey Kandaurov <pluknet@nginx.com> parents: 6660 diff changeset	3567 const EVP_CIPHER *cipher;
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3568 #if (NGX_DEBUG)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3569 u_char buf[32];
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3570 #endif
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3571
6261 97f102a13f33 SSL: preserve default server context in connection (ticket #235). Maxim Dounin <mdounin@mdounin.ru> parents: 6259 diff changeset	3572 c = ngx_ssl_get_connection(ssl_conn);
97f102a13f33 SSL: preserve default server context in connection (ticket #235). Maxim Dounin <mdounin@mdounin.ru> parents: 6259 diff changeset	3573 ssl_ctx = c->ssl->session_ctx;
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3574
6686 f28e74f02c88 SSL: factored out digest and cipher in session ticket callback. Sergey Kandaurov <pluknet@nginx.com> parents: 6660 diff changeset	3575 #ifdef OPENSSL_NO_SHA256
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback. Sergey Kandaurov <pluknet@nginx.com> parents: 6660 diff changeset	3576 digest = EVP_sha1();
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback. Sergey Kandaurov <pluknet@nginx.com> parents: 6660 diff changeset	3577 #else
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback. Sergey Kandaurov <pluknet@nginx.com> parents: 6660 diff changeset	3578 digest = EVP_sha256();
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback. Sergey Kandaurov <pluknet@nginx.com> parents: 6660 diff changeset	3579 #endif
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback. Sergey Kandaurov <pluknet@nginx.com> parents: 6660 diff changeset	3580
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3581 keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3582 if (keys == NULL) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3583 return -1;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3584 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3585
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3586 key = keys->elts;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3587
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3588 if (enc == 1) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3589 /* encrypt session ticket */
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3590
5657 3b48f9e69e70 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP. Maxim Dounin <mdounin@mdounin.ru> parents: 5640 diff changeset	3591 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3592 "ssl session ticket encrypt, key: \"%*s\" (%s session)",
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3593 ngx_hex_dump(buf, key[0].name, 16) - buf, buf,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3594 SSL_session_reused(ssl_conn) ? "reused" : "new");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3595
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3596 if (key[0].size == 48) {
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3597 cipher = EVP_aes_128_cbc();
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3598 size = 16;
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3599
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3600 } else {
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3601 cipher = EVP_aes_256_cbc();
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3602 size = 32;
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3603 }
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3604
6687 dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3605 if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) {
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3606 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "RAND_bytes() failed");
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3607 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3608 }
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3609
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3610 if (EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv) != 1) {
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3611 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3612 "EVP_EncryptInit_ex() failed");
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3613 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3614 }
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3615
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3616 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3617 if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) {
6687 dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3618 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3619 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3620 }
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3621 #else
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3622 HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL);
6687 dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3623 #endif
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3624
5760 4b668378ad8b Style: use ngx_memcpy() instead of memcpy(). Piotr Sikora <piotr@cloudflare.com> parents: 5756 diff changeset	3625 ngx_memcpy(name, key[0].name, 16);
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3626
6660 3eb1a92a2f05 SSL: adopted session ticket handling for OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6659 diff changeset	3627 return 1;
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3628
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3629 } else {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3630 /* decrypt session ticket */
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3631
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3632 for (i = 0; i < keys->nelts; i++) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3633 if (ngx_memcmp(name, key[i].name, 16) == 0) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3634 goto found;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3635 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3636 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3637
5657 3b48f9e69e70 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP. Maxim Dounin <mdounin@mdounin.ru> parents: 5640 diff changeset	3638 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3639 "ssl session ticket decrypt, key: \"%*s\" not found",
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3640 ngx_hex_dump(buf, name, 16) - buf, buf);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3641
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3642 return 0;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3643
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3644 found:
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3645
5657 3b48f9e69e70 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP. Maxim Dounin <mdounin@mdounin.ru> parents: 5640 diff changeset	3646 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3647 "ssl session ticket decrypt, key: \"%*s\"%s",
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3648 ngx_hex_dump(buf, key[i].name, 16) - buf, buf,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3649 (i == 0) ? " (default)" : "");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3650
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3651 if (key[i].size == 48) {
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3652 cipher = EVP_aes_128_cbc();
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3653 size = 16;
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3654
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3655 } else {
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3656 cipher = EVP_aes_256_cbc();
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3657 size = 32;
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3658 }
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3659
6687 dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3660 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3661 if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) {
6687 dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3662 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3663 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3664 }
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3665 #else
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3666 HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL);
6687 dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3667 #endif
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3668
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3669 if (EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv) != 1) {
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3670 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3671 "EVP_DecryptInit_ex() failed");
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3672 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3673 }
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3674
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3675 return (i == 0) ? 1 : 2 /* renew */;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3676 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3677 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3678
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3679 #else
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3680
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3681 ngx_int_t
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3682 ngx_ssl_session_ticket_keys(ngx_conf_t cf, ngx_ssl_t ssl, ngx_array_t *paths)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3683 {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3684 if (paths) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3685 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
7074 07a49cce21ca SSL: fixed typo in the error message. Sergey Kandaurov <pluknet@nginx.com> parents: 6995 diff changeset	3686 "\"ssl_session_ticket_key\" ignored, not supported");
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3687 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3688
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3689 return NGX_OK;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3690 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3691
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3692 #endif
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3693
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3694
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	3695 void
9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	3696 ngx_ssl_cleanup_ctx(void *data)
9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	3697 {
589 d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	3698 ngx_ssl_t *ssl = data;
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	3699
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3700 X509 cert, next;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3701
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3702 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3703
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3704 while (cert) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3705 next = X509_get_ex_data(cert, ngx_ssl_next_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3706 X509_free(cert);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3707 cert = next;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3708 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3709
589 d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	3710 SSL_CTX_free(ssl->ctx);
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	3711 }
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	3712
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	3713
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3714 ngx_int_t
5661 060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3715 ngx_ssl_check_host(ngx_connection_t c, ngx_str_t name)
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3716 {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3717 X509 *cert;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3718
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3719 cert = SSL_get_peer_certificate(c->ssl->connection);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3720 if (cert == NULL) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3721 return NGX_ERROR;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3722 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3723
6725 9b9ae81cd4f0 SSL: use X509_check_host() with LibreSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 6699 diff changeset	3724 #ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
5661 060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3725
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3726 /* X509_check_host() is only available in OpenSSL 1.0.2+ */
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3727
5669 cac82b9b3499 SSL: explicit handling of empty names. Maxim Dounin <mdounin@mdounin.ru> parents: 5666 diff changeset	3728 if (name->len == 0) {
cac82b9b3499 SSL: explicit handling of empty names. Maxim Dounin <mdounin@mdounin.ru> parents: 5666 diff changeset	3729 goto failed;
cac82b9b3499 SSL: explicit handling of empty names. Maxim Dounin <mdounin@mdounin.ru> parents: 5666 diff changeset	3730 }
cac82b9b3499 SSL: explicit handling of empty names. Maxim Dounin <mdounin@mdounin.ru> parents: 5666 diff changeset	3731
5767 abd460ece11e SSL: fix build with recent OpenSSL. Piotr Sikora <piotr@cloudflare.com> parents: 5760 diff changeset	3732 if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) {
5661 060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3733 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3734 "X509_check_host(): no match");
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3735 goto failed;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3736 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3737
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3738 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3739 "X509_check_host(): match");
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3740
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3741 goto found;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3742
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3743 #else
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3744 {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3745 int n, i;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3746 X509_NAME *sname;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3747 ASN1_STRING *str;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3748 X509_NAME_ENTRY *entry;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3749 GENERAL_NAME *altname;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3750 STACK_OF(GENERAL_NAME) *altnames;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3751
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3752 /*
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3753 * As per RFC6125 and RFC2818, we check subjectAltName extension,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3754 * and if it's not present - commonName in Subject is checked.
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3755 */
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3756
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3757 altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3758
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3759 if (altnames) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3760 n = sk_GENERAL_NAME_num(altnames);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3761
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3762 for (i = 0; i < n; i++) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3763 altname = sk_GENERAL_NAME_value(altnames, i);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3764
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3765 if (altname->type != GEN_DNS) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3766 continue;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3767 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3768
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3769 str = altname->d.dNSName;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3770
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3771 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3772 "SSL subjectAltName: \"%*s\"",
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3773 ASN1_STRING_length(str), ASN1_STRING_data(str));
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3774
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3775 if (ngx_ssl_check_name(name, str) == NGX_OK) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3776 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3777 "SSL subjectAltName: match");
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3778 GENERAL_NAMES_free(altnames);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3779 goto found;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3780 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3781 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3782
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3783 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3784 "SSL subjectAltName: no match");
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3785
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3786 GENERAL_NAMES_free(altnames);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3787 goto failed;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3788 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3789
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3790 /*
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3791 * If there is no subjectAltName extension, check commonName
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3792 * in Subject. While RFC2818 requires to only check "most specific"
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3793 * CN, both Apache and OpenSSL check all CNs, and so do we.
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3794 */
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3795
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3796 sname = X509_get_subject_name(cert);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3797
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3798 if (sname == NULL) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3799 goto failed;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3800 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3801
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3802 i = -1;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3803 for ( ;; ) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3804 i = X509_NAME_get_index_by_NID(sname, NID_commonName, i);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3805
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3806 if (i < 0) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3807 break;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3808 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3809
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3810 entry = X509_NAME_get_entry(sname, i);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3811 str = X509_NAME_ENTRY_get_data(entry);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3812
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3813 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3814 "SSL commonName: \"%*s\"",
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3815 ASN1_STRING_length(str), ASN1_STRING_data(str));
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3816
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3817 if (ngx_ssl_check_name(name, str) == NGX_OK) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3818 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3819 "SSL commonName: match");
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3820 goto found;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3821 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3822 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3823
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3824 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3825 "SSL commonName: no match");
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3826 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3827 #endif
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3828
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3829 failed:
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3830
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3831 X509_free(cert);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3832 return NGX_ERROR;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3833
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3834 found:
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3835
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3836 X509_free(cert);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3837 return NGX_OK;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3838 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3839
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3840
6725 9b9ae81cd4f0 SSL: use X509_check_host() with LibreSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 6699 diff changeset	3841 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
5661 060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3842
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3843 static ngx_int_t
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3844 ngx_ssl_check_name(ngx_str_t name, ASN1_STRING pattern)
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3845 {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3846 u_char s, p, *end;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3847 size_t slen, plen;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3848
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3849 s = name->data;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3850 slen = name->len;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3851
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3852 p = ASN1_STRING_data(pattern);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3853 plen = ASN1_STRING_length(pattern);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3854
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3855 if (slen == plen && ngx_strncasecmp(s, p, plen) == 0) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3856 return NGX_OK;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3857 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3858
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3859 if (plen > 2 && p[0] == '*' && p[1] == '.') {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3860 plen -= 1;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3861 p += 1;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3862
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3863 end = s + slen;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3864 s = ngx_strlchr(s, end, '.');
5666 a77c0839c993 SSL: added explicit check for ngx_strlchr() result. Maxim Dounin <mdounin@mdounin.ru> parents: 5661 diff changeset	3865
a77c0839c993 SSL: added explicit check for ngx_strlchr() result. Maxim Dounin <mdounin@mdounin.ru> parents: 5661 diff changeset	3866 if (s == NULL) {
a77c0839c993 SSL: added explicit check for ngx_strlchr() result. Maxim Dounin <mdounin@mdounin.ru> parents: 5661 diff changeset	3867 return NGX_ERROR;
a77c0839c993 SSL: added explicit check for ngx_strlchr() result. Maxim Dounin <mdounin@mdounin.ru> parents: 5661 diff changeset	3868 }
a77c0839c993 SSL: added explicit check for ngx_strlchr() result. Maxim Dounin <mdounin@mdounin.ru> parents: 5661 diff changeset	3869
5661 060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3870 slen = end - s;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3871
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3872 if (plen == slen && ngx_strncasecmp(s, p, plen) == 0) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3873 return NGX_OK;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3874 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3875 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3876
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3877 return NGX_ERROR;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3878 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3879
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3880 #endif
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3881
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3882
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3883 ngx_int_t
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3884 ngx_ssl_get_protocol(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	3885 {
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3886 s->data = (u_char *) SSL_get_version(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3887 return NGX_OK;
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	3888 }
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	3889
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	3890
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3891 ngx_int_t
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3892 ngx_ssl_get_cipher_name(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	3893 {
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3894 s->data = (u_char *) SSL_get_cipher_name(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3895 return NGX_OK;
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	3896 }
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	3897
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	3898
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3899 ngx_int_t
6816 ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3900 ngx_ssl_get_ciphers(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3901 {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3902 #ifdef SSL_CTRL_GET_RAW_CIPHERLIST
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3903
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3904 int n, i, bytes;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3905 size_t len;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3906 u_char ciphers, p;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3907 const SSL_CIPHER *cipher;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3908
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3909 bytes = SSL_get0_raw_cipherlist(c->ssl->connection, NULL);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3910 n = SSL_get0_raw_cipherlist(c->ssl->connection, &ciphers);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3911
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3912 if (n <= 0) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3913 s->len = 0;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3914 return NGX_OK;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3915 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3916
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3917 len = 0;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3918 n /= bytes;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3919
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3920 for (i = 0; i < n; i++) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3921 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3922
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3923 if (cipher) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3924 len += ngx_strlen(SSL_CIPHER_get_name(cipher));
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3925
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3926 } else {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3927 len += sizeof("0x") - 1 + bytes * (sizeof("00") - 1);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3928 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3929
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3930 len += sizeof(":") - 1;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3931 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3932
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3933 s->data = ngx_pnalloc(pool, len);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3934 if (s->data == NULL) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3935 return NGX_ERROR;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3936 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3937
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3938 p = s->data;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3939
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3940 for (i = 0; i < n; i++) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3941 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3942
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3943 if (cipher) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3944 p = ngx_sprintf(p, "%s", SSL_CIPHER_get_name(cipher));
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3945
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3946 } else {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3947 p = ngx_sprintf(p, "0x");
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3948 p = ngx_hex_dump(p, ciphers + i * bytes, bytes);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3949 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3950
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3951 *p++ = ':';
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3952 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3953
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3954 p--;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3955
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3956 s->len = p - s->data;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3957
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3958 #else
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3959
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3960 u_char buf[4096];
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3961
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3962 if (SSL_get_shared_ciphers(c->ssl->connection, (char *) buf, 4096)
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3963 == NULL)
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3964 {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3965 s->len = 0;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3966 return NGX_OK;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3967 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3968
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3969 s->len = ngx_strlen(buf);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3970 s->data = ngx_pnalloc(pool, s->len);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3971 if (s->data == NULL) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3972 return NGX_ERROR;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3973 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3974
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3975 ngx_memcpy(s->data, buf, s->len);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3976
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3977 #endif
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3978
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3979 return NGX_OK;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3980 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3981
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3982
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3983 ngx_int_t
6817 e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3984 ngx_ssl_get_curves(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3985 {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3986 #ifdef SSL_CTRL_GET_CURVES
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3987
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3988 int *curves, n, i, nid;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3989 u_char *p;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3990 size_t len;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3991
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3992 n = SSL_get1_curves(c->ssl->connection, NULL);
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3993
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3994 if (n <= 0) {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3995 s->len = 0;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3996 return NGX_OK;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3997 }
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3998
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3999 curves = ngx_palloc(pool, n * sizeof(int));
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4000
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4001 n = SSL_get1_curves(c->ssl->connection, curves);
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4002 len = 0;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4003
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4004 for (i = 0; i < n; i++) {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4005 nid = curves[i];
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4006
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4007 if (nid & TLSEXT_nid_unknown) {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4008 len += sizeof("0x0000") - 1;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4009
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4010 } else {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4011 len += ngx_strlen(OBJ_nid2sn(nid));
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4012 }
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4013
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4014 len += sizeof(":") - 1;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4015 }
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4016
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4017 s->data = ngx_pnalloc(pool, len);
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4018 if (s->data == NULL) {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4019 return NGX_ERROR;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4020 }
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4021
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4022 p = s->data;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4023
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4024 for (i = 0; i < n; i++) {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4025 nid = curves[i];
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4026
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4027 if (nid & TLSEXT_nid_unknown) {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4028 p = ngx_sprintf(p, "0x%04xd", nid & 0xffff);
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4029
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4030 } else {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4031 p = ngx_sprintf(p, "%s", OBJ_nid2sn(nid));
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4032 }
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4033
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4034 *p++ = ':';
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4035 }
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4036
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4037 p--;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4038
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4039 s->len = p - s->data;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4040
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4041 #else
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4042
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4043 s->len = 0;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4044
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4045 #endif
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4046
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4047 return NGX_OK;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4048 }
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4049
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4050
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	4051 ngx_int_t
3154 823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4052 ngx_ssl_get_session_id(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4053 {
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	4054 u_char *buf;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	4055 SSL_SESSION *sess;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	4056 unsigned int len;
3154 823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4057
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4058 sess = SSL_get0_session(c->ssl->connection);
5537 49b1ad48b55c SSL: fixed $ssl_session_id possible segfault after 97e3769637a7. Maxim Dounin <mdounin@mdounin.ru> parents: 5531 diff changeset	4059 if (sess == NULL) {
49b1ad48b55c SSL: fixed $ssl_session_id possible segfault after 97e3769637a7. Maxim Dounin <mdounin@mdounin.ru> parents: 5531 diff changeset	4060 s->len = 0;
49b1ad48b55c SSL: fixed $ssl_session_id possible segfault after 97e3769637a7. Maxim Dounin <mdounin@mdounin.ru> parents: 5531 diff changeset	4061 return NGX_OK;
49b1ad48b55c SSL: fixed $ssl_session_id possible segfault after 97e3769637a7. Maxim Dounin <mdounin@mdounin.ru> parents: 5531 diff changeset	4062 }
3154 823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4063
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	4064 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	4065
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	4066 buf = (u_char *) SSL_SESSION_get_id(sess, &len);
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	4067
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	4068 #else
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	4069
5531 97e3769637a7 SSL: fixed $ssl_session_id variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5487 diff changeset	4070 buf = sess->session_id;
97e3769637a7 SSL: fixed $ssl_session_id variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5487 diff changeset	4071 len = sess->session_id_length;
3154 823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4072
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	4073 #endif
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	4074
3154 823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4075 s->len = 2 * len;
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4076 s->data = ngx_pnalloc(pool, 2 * len);
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4077 if (s->data == NULL) {
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4078 return NGX_ERROR;
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4079 }
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4080
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4081 ngx_hex_dump(s->data, buf, len);
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4082
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4083 return NGX_OK;
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4084 }
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4085
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4086
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	4087 ngx_int_t
5573 7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	4088 ngx_ssl_get_session_reused(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	4089 {
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	4090 if (SSL_session_reused(c->ssl->connection)) {
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	4091 ngx_str_set(s, "r");
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	4092
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	4093 } else {
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	4094 ngx_str_set(s, ".");
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	4095 }
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	4096
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	4097 return NGX_OK;
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	4098 }
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	4099
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	4100
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	4101 ngx_int_t
7333 ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	4102 ngx_ssl_get_early_data(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	4103 {
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	4104 s->len = 0;
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	4105
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	4106 #ifdef SSL_ERROR_EARLY_DATA_REJECTED
7357 548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	4107
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	4108 /* BoringSSL */
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	4109
7333 ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	4110 if (SSL_in_early_data(c->ssl->connection)) {
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	4111 ngx_str_set(s, "1");
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	4112 }
7357 548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	4113
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	4114 #elif defined SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	4115
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	4116 /* OpenSSL */
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	4117
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	4118 if (!SSL_is_init_finished(c->ssl->connection)) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	4119 ngx_str_set(s, "1");
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	4120 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL. Sergey Kandaurov <pluknet@nginx.com> parents: 7356 diff changeset	4121
7333 ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	4122 #endif
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	4123
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	4124 return NGX_OK;
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	4125 }
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	4126
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	4127
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 7332 diff changeset	4128 ngx_int_t
5658 94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	4129 ngx_ssl_get_server_name(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	4130 {
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	4131 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	4132
7092 2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	4133 size_t len;
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	4134 const char *name;
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	4135
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	4136 name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name);
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	4137
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	4138 if (name) {
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	4139 len = ngx_strlen(name);
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	4140
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	4141 s->len = len;
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	4142 s->data = ngx_pnalloc(pool, len);
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	4143 if (s->data == NULL) {
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	4144 return NGX_ERROR;
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	4145 }
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	4146
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	4147 ngx_memcpy(s->data, name, len);
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	4148
5658 94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	4149 return NGX_OK;
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	4150 }
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	4151
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	4152 #endif
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	4153
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	4154 s->len = 0;
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	4155 return NGX_OK;
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	4156 }
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	4157
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	4158
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	4159 ngx_int_t
2123 9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4160 ngx_ssl_get_raw_certificate(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
2045 2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4161 {
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4162 size_t len;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4163 BIO *bio;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4164 X509 *cert;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4165
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4166 s->len = 0;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4167
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4168 cert = SSL_get_peer_certificate(c->ssl->connection);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4169 if (cert == NULL) {
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4170 return NGX_OK;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4171 }
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4172
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4173 bio = BIO_new(BIO_s_mem());
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4174 if (bio == NULL) {
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4175 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4176 X509_free(cert);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4177 return NGX_ERROR;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4178 }
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4179
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4180 if (PEM_write_bio_X509(bio, cert) == 0) {
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4181 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed");
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4182 goto failed;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4183 }
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4184
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4185 len = BIO_pending(bio);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4186 s->len = len;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4187
2049 2a92804f4109 ) back out r2040 Igor Sysoev <igor@sysoev.ru>* parents: 2045 diff changeset	4188 s->data = ngx_pnalloc(pool, len);
2045 2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4189 if (s->data == NULL) {
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4190 goto failed;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4191 }
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4192
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4193 BIO_read(bio, s->data, len);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4194
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4195 BIO_free(bio);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4196 X509_free(cert);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4197
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4198 return NGX_OK;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4199
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4200 failed:
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4201
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4202 BIO_free(bio);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4203 X509_free(cert);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4204
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4205 return NGX_ERROR;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4206 }
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4207
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4208
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	4209 ngx_int_t
2123 9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4210 ngx_ssl_get_certificate(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4211 {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4212 u_char *p;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4213 size_t len;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4214 ngx_uint_t i;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4215 ngx_str_t cert;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4216
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4217 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4218 return NGX_ERROR;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4219 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4220
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4221 if (cert.len == 0) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4222 s->len = 0;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4223 return NGX_OK;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4224 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4225
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4226 len = cert.len - 1;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4227
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4228 for (i = 0; i < cert.len - 1; i++) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4229 if (cert.data[i] == LF) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4230 len++;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4231 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4232 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4233
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4234 s->len = len;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4235 s->data = ngx_pnalloc(pool, len);
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4236 if (s->data == NULL) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4237 return NGX_ERROR;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4238 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4239
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4240 p = s->data;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4241
3002 bf0c7e58e016 fix memory corruption in $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2997 diff changeset	4242 for (i = 0; i < cert.len - 1; i++) {
2123 9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4243 *p++ = cert.data[i];
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4244 if (cert.data[i] == LF) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4245 *p++ = '\t';
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4246 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4247 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4248
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4249 return NGX_OK;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4250 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4251
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4252
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	4253 ngx_int_t
7091 82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4254 ngx_ssl_get_escaped_certificate(ngx_connection_t c, ngx_pool_t pool,
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4255 ngx_str_t *s)
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4256 {
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4257 ngx_str_t cert;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4258 uintptr_t n;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4259
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4260 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) {
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4261 return NGX_ERROR;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4262 }
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4263
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4264 if (cert.len == 0) {
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4265 s->len = 0;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4266 return NGX_OK;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4267 }
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4268
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4269 n = ngx_escape_uri(NULL, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT);
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4270
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4271 s->len = cert.len + n * 2;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4272 s->data = ngx_pnalloc(pool, s->len);
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4273 if (s->data == NULL) {
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4274 return NGX_ERROR;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4275 }
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4276
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4277 ngx_escape_uri(s->data, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT);
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4278
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4279 return NGX_OK;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4280 }
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4281
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4282
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	4283 ngx_int_t
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4284 ngx_ssl_get_subject_dn(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4285 {
6780 56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4286 BIO *bio;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4287 X509 *cert;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4288 X509_NAME *name;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4289
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4290 s->len = 0;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4291
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4292 cert = SSL_get_peer_certificate(c->ssl->connection);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4293 if (cert == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4294 return NGX_OK;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4295 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4296
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4297 name = X509_get_subject_name(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4298 if (name == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4299 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4300 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4301
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4302 bio = BIO_new(BIO_s_mem());
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4303 if (bio == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4304 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4305 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4306 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4307
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4308 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4309 goto failed;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4310 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4311
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4312 s->len = BIO_pending(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4313 s->data = ngx_pnalloc(pool, s->len);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4314 if (s->data == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4315 goto failed;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4316 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4317
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4318 BIO_read(bio, s->data, s->len);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4319
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4320 BIO_free(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4321 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4322
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4323 return NGX_OK;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4324
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4325 failed:
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4326
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4327 BIO_free(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4328 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4329
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4330 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4331 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4332
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4333
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4334 ngx_int_t
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4335 ngx_ssl_get_issuer_dn(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4336 {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4337 BIO *bio;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4338 X509 *cert;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4339 X509_NAME *name;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4340
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4341 s->len = 0;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4342
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4343 cert = SSL_get_peer_certificate(c->ssl->connection);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4344 if (cert == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4345 return NGX_OK;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4346 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4347
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4348 name = X509_get_issuer_name(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4349 if (name == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4350 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4351 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4352
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4353 bio = BIO_new(BIO_s_mem());
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4354 if (bio == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4355 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4356 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4357 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4358
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4359 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4360 goto failed;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4361 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4362
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4363 s->len = BIO_pending(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4364 s->data = ngx_pnalloc(pool, s->len);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4365 if (s->data == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4366 goto failed;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4367 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4368
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4369 BIO_read(bio, s->data, s->len);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4370
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4371 BIO_free(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4372 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4373
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4374 return NGX_OK;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4375
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4376 failed:
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4377
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4378 BIO_free(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4379 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4380
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4381 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4382 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4383
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4384
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4385 ngx_int_t
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4386 ngx_ssl_get_subject_dn_legacy(ngx_connection_t c, ngx_pool_t pool,
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4387 ngx_str_t *s)
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4388 {
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4389 char *p;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4390 size_t len;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4391 X509 *cert;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4392 X509_NAME *name;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4393
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4394 s->len = 0;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4395
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4396 cert = SSL_get_peer_certificate(c->ssl->connection);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4397 if (cert == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4398 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4399 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4400
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4401 name = X509_get_subject_name(cert);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4402 if (name == NULL) {
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	4403 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4404 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4405 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4406
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4407 p = X509_NAME_oneline(name, NULL, 0);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4408
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4409 for (len = 0; p[len]; len++) { /* void */ }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4410
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4411 s->len = len;
2049 2a92804f4109 ) back out r2040 Igor Sysoev <igor@sysoev.ru>* parents: 2045 diff changeset	4412 s->data = ngx_pnalloc(pool, len);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4413 if (s->data == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4414 OPENSSL_free(p);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	4415 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4416 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4417 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4418
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4419 ngx_memcpy(s->data, p, len);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4420
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4421 OPENSSL_free(p);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	4422 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4423
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4424 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4425 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4426
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4427
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4428 ngx_int_t
6780 56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4429 ngx_ssl_get_issuer_dn_legacy(ngx_connection_t c, ngx_pool_t pool,
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	4430 ngx_str_t *s)
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4431 {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4432 char *p;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4433 size_t len;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4434 X509 *cert;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4435 X509_NAME *name;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4436
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4437 s->len = 0;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4438
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4439 cert = SSL_get_peer_certificate(c->ssl->connection);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4440 if (cert == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4441 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4442 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4443
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4444 name = X509_get_issuer_name(cert);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4445 if (name == NULL) {
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	4446 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4447 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4448 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4449
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4450 p = X509_NAME_oneline(name, NULL, 0);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4451
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4452 for (len = 0; p[len]; len++) { /* void */ }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4453
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4454 s->len = len;
2049 2a92804f4109 ) back out r2040 Igor Sysoev <igor@sysoev.ru>* parents: 2045 diff changeset	4455 s->data = ngx_pnalloc(pool, len);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4456 if (s->data == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4457 OPENSSL_free(p);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	4458 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4459 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4460 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4461
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4462 ngx_memcpy(s->data, p, len);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4463
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4464 OPENSSL_free(p);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	4465 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4466
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4467 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4468 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4469
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	4470
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4471 ngx_int_t
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4472 ngx_ssl_get_serial_number(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4473 {
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4474 size_t len;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4475 X509 *cert;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4476 BIO *bio;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4477
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4478 s->len = 0;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4479
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4480 cert = SSL_get_peer_certificate(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4481 if (cert == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4482 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4483 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4484
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4485 bio = BIO_new(BIO_s_mem());
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4486 if (bio == NULL) {
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	4487 X509_free(cert);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4488 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4489 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4490
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4491 i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert));
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4492 len = BIO_pending(bio);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4493
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4494 s->len = len;
2049 2a92804f4109 ) back out r2040 Igor Sysoev <igor@sysoev.ru>* parents: 2045 diff changeset	4495 s->data = ngx_pnalloc(pool, len);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4496 if (s->data == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4497 BIO_free(bio);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	4498 X509_free(cert);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4499 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4500 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4501
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4502 BIO_read(bio, s->data, len);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4503 BIO_free(bio);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	4504 X509_free(cert);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4505
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4506 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4507 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4508
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	4509
2994 f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	4510 ngx_int_t
5700 5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4511 ngx_ssl_get_fingerprint(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4512 {
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4513 X509 *cert;
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4514 unsigned int len;
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4515 u_char buf[EVP_MAX_MD_SIZE];
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4516
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4517 s->len = 0;
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4518
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4519 cert = SSL_get_peer_certificate(c->ssl->connection);
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4520 if (cert == NULL) {
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4521 return NGX_OK;
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4522 }
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4523
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4524 if (!X509_digest(cert, EVP_sha1(), buf, &len)) {
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4525 X509_free(cert);
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4526 return NGX_ERROR;
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4527 }
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4528
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4529 s->len = 2 * len;
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4530 s->data = ngx_pnalloc(pool, 2 * len);
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4531 if (s->data == NULL) {
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4532 X509_free(cert);
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4533 return NGX_ERROR;
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4534 }
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4535
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4536 ngx_hex_dump(s->data, buf, len);
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4537
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4538 X509_free(cert);
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4539
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4540 return NGX_OK;
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4541 }
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4542
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4543
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	4544 ngx_int_t
2994 f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	4545 ngx_ssl_get_client_verify(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	4546 {
6814 379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4547 X509 *cert;
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4548 long rc;
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4549 const char *str;
2994 f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	4550
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	4551 cert = SSL_get_peer_certificate(c->ssl->connection);
6814 379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4552 if (cert == NULL) {
3516 dd1570b6f237 ngx_str_set() and ngx_str_null() Igor Sysoev <igor@sysoev.ru> parents: 3488 diff changeset	4553 ngx_str_set(s, "NONE");
6814 379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4554 return NGX_OK;
2994 f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	4555 }
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	4556
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	4557 X509_free(cert);
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	4558
6814 379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4559 rc = SSL_get_verify_result(c->ssl->connection);
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4560
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4561 if (rc == X509_V_OK) {
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4562 ngx_str_set(s, "SUCCESS");
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4563 return NGX_OK;
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4564 }
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4565
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4566 str = X509_verify_cert_error_string(rc);
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4567
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4568 s->data = ngx_pnalloc(pool, sizeof("FAILED:") - 1 + ngx_strlen(str));
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4569 if (s->data == NULL) {
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4570 return NGX_ERROR;
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4571 }
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4572
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4573 s->len = ngx_sprintf(s->data, "FAILED:%s", str) - s->data;
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	4574
2994 f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	4575 return NGX_OK;
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	4576 }
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	4577
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	4578
6815 2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4579 ngx_int_t
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4580 ngx_ssl_get_client_v_start(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4581 {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4582 BIO *bio;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4583 X509 *cert;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4584 size_t len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4585
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4586 s->len = 0;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4587
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4588 cert = SSL_get_peer_certificate(c->ssl->connection);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4589 if (cert == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4590 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4591 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4592
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4593 bio = BIO_new(BIO_s_mem());
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4594 if (bio == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4595 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4596 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4597 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4598
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4599 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4600 ASN1_TIME_print(bio, X509_get0_notBefore(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4601 #else
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4602 ASN1_TIME_print(bio, X509_get_notBefore(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4603 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4604
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4605 len = BIO_pending(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4606
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4607 s->len = len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4608 s->data = ngx_pnalloc(pool, len);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4609 if (s->data == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4610 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4611 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4612 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4613 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4614
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4615 BIO_read(bio, s->data, len);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4616 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4617 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4618
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4619 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4620 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4621
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4622
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4623 ngx_int_t
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4624 ngx_ssl_get_client_v_end(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4625 {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4626 BIO *bio;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4627 X509 *cert;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4628 size_t len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4629
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4630 s->len = 0;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4631
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4632 cert = SSL_get_peer_certificate(c->ssl->connection);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4633 if (cert == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4634 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4635 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4636
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4637 bio = BIO_new(BIO_s_mem());
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4638 if (bio == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4639 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4640 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4641 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4642
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4643 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4644 ASN1_TIME_print(bio, X509_get0_notAfter(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4645 #else
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4646 ASN1_TIME_print(bio, X509_get_notAfter(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4647 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4648
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4649 len = BIO_pending(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4650
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4651 s->len = len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4652 s->data = ngx_pnalloc(pool, len);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4653 if (s->data == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4654 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4655 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4656 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4657 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4658
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4659 BIO_read(bio, s->data, len);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4660 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4661 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4662
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4663 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4664 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4665
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4666
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4667 ngx_int_t
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4668 ngx_ssl_get_client_v_remain(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4669 {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4670 X509 *cert;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4671 time_t now, end;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4672
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4673 s->len = 0;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4674
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4675 cert = SSL_get_peer_certificate(c->ssl->connection);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4676 if (cert == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4677 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4678 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4679
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4680 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4681 end = ngx_ssl_parse_time(X509_get0_notAfter(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4682 #else
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4683 end = ngx_ssl_parse_time(X509_get_notAfter(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4684 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4685
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4686 if (end == (time_t) NGX_ERROR) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4687 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4688 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4689 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4690
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4691 now = ngx_time();
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4692
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4693 if (end < now + 86400) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4694 ngx_str_set(s, "0");
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4695 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4696 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4697 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4698
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4699 s->data = ngx_pnalloc(pool, NGX_TIME_T_LEN);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4700 if (s->data == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4701 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4702 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4703 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4704
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4705 s->len = ngx_sprintf(s->data, "%T", (end - now) / 86400) - s->data;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4706
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4707 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4708
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4709 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4710 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4711
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4712
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4713 static time_t
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4714 ngx_ssl_parse_time(
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4715 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4716 const
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4717 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4718 ASN1_TIME *asn1time)
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4719 {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4720 BIO *bio;
6842 25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	4721 char *value;
6815 2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4722 size_t len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4723 time_t time;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4724
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4725 /*
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4726 * OpenSSL doesn't provide a way to convert ASN1_TIME
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4727 * into time_t. To do this, we use ASN1_TIME_print(),
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4728 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g.,
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4729 * "Feb 3 00:55:52 2015 GMT"), and parse the result.
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4730 */
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4731
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4732 bio = BIO_new(BIO_s_mem());
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4733 if (bio == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4734 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4735 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4736
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4737 /* fake weekday prepended to match C asctime() format */
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4738
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4739 BIO_write(bio, "Tue ", sizeof("Tue ") - 1);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4740 ASN1_TIME_print(bio, asn1time);
6842 25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	4741 len = BIO_get_mem_data(bio, &value);
25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	4742
25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	4743 time = ngx_parse_http_time((u_char *) value, len);
6815 2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4744
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4745 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4746
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4747 return time;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4748 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4749
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4750
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4751 static void *
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4752 ngx_openssl_create_conf(ngx_cycle_t *cycle)
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4753 {
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4754 ngx_openssl_conf_t *oscf;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	4755
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4756 oscf = ngx_pcalloc(cycle->pool, sizeof(ngx_openssl_conf_t));
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4757 if (oscf == NULL) {
2912 c7d57b539248 return NULL instead of NGX_CONF_ERROR on a create conf failure Igor Sysoev <igor@sysoev.ru> parents: 2764 diff changeset	4758 return NULL;
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4759 }
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	4760
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4761 /*
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4762 * set by ngx_pcalloc():
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	4763 *
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4764 * oscf->engine = 0;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	4765 */
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4766
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4767 return oscf;
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4768 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4769
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4770
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4771 static char *
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4772 ngx_openssl_engine(ngx_conf_t cf, ngx_command_t cmd, void *conf)
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4773 {
5777 4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4774 #ifndef OPENSSL_NO_ENGINE
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4775
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4776 ngx_openssl_conf_t *oscf = conf;
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	4777
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4778 ENGINE *engine;
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4779 ngx_str_t *value;
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4780
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4781 if (oscf->engine) {
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4782 return "is duplicate";
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4783 }
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	4784
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4785 oscf->engine = 1;
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4786
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4787 value = cf->args->elts;
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4788
6552 addd98357629 SSL: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6551 diff changeset	4789 engine = ENGINE_by_id((char *) value[1].data);
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4790
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4791 if (engine == NULL) {
6699 9cf2dce316e5 Fixed log levels of configuration parsing errors. Valentin Bartenev <vbart@nginx.com> parents: 6687 diff changeset	4792 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4793 "ENGINE_by_id(\"%V\") failed", &value[1]);
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4794 return NGX_CONF_ERROR;
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4795 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4796
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4797 if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) {
6699 9cf2dce316e5 Fixed log levels of configuration parsing errors. Valentin Bartenev <vbart@nginx.com> parents: 6687 diff changeset	4798 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4799 "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed",
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4800 &value[1]);
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4801
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4802 ENGINE_free(engine);
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4803
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4804 return NGX_CONF_ERROR;
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4805 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4806
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4807 ENGINE_free(engine);
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4808
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4809 return NGX_CONF_OK;
5777 4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4810
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4811 #else
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4812
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4813 return "is not supported";
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4814
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4815 #endif
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4816 }
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	4817
458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	4818
458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	4819 static void
458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	4820 ngx_openssl_exit(ngx_cycle_t *cycle)
458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	4821 {
6488 a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	4822 #if OPENSSL_VERSION_NUMBER < 0x10100003L
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	4823
3464 7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error Igor Sysoev <igor@sysoev.ru> parents: 3457 diff changeset	4824 EVP_cleanup();
5777 4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4825 #ifndef OPENSSL_NO_ENGINE
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	4826 ENGINE_cleanup();
5777 4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4827 #endif
6488 a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	4828
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	4829 #endif
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	4830 }

Mercurial > hg > nginx

annotate src/event/ngx_event_openssl.c @ 7372:ed8738b1c7c4