Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 5756:5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
SSL_SESSION struct is internal part of the OpenSSL library and it's fields
should be accessed via API (when exposed), not directly.
The unfortunate side-effect of this change is that we're losing reference
count that used to be printed at the debug log level, but this seems to be
an acceptable trade-off.
Almost fixes build with -DOPENSSL_NO_SSL_INTERN.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
| author | Piotr Sikora <piotr@cloudflare.com> |
|---|---|
| date | Sun, 06 Jul 2014 16:41:14 -0700 |
| parents | 8df08465fcfd |
| children | 4b668378ad8b |
comparison
equal
deleted
inserted
replaced
| 5755:8df08465fcfd | 5756:5b7276408565 |
|---|---|
| 2076 | 2076 |
| 2077 static int | 2077 static int |
| 2078 ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) | 2078 ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) |
| 2079 { | 2079 { |
| 2080 int len; | 2080 int len; |
| 2081 u_char *p, *id, *cached_sess; | 2081 u_char *p, *id, *cached_sess, *session_id; |
| 2082 uint32_t hash; | 2082 uint32_t hash; |
| 2083 SSL_CTX *ssl_ctx; | 2083 SSL_CTX *ssl_ctx; |
| 2084 unsigned int session_id_length; | |
| 2084 ngx_shm_zone_t *shm_zone; | 2085 ngx_shm_zone_t *shm_zone; |
| 2085 ngx_connection_t *c; | 2086 ngx_connection_t *c; |
| 2086 ngx_slab_pool_t *shpool; | 2087 ngx_slab_pool_t *shpool; |
| 2087 ngx_ssl_sess_id_t *sess_id; | 2088 ngx_ssl_sess_id_t *sess_id; |
| 2088 ngx_ssl_session_cache_t *cache; | 2089 ngx_ssl_session_cache_t *cache; |
| 2141 if (sess_id == NULL) { | 2142 if (sess_id == NULL) { |
| 2142 goto failed; | 2143 goto failed; |
| 2143 } | 2144 } |
| 2144 } | 2145 } |
| 2145 | 2146 |
| 2147 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL | |
| 2148 | |
| 2149 session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length); | |
| 2150 | |
| 2151 #else | |
| 2152 | |
| 2153 session_id = sess->session_id; | |
| 2154 session_id_length = sess->session_id_length; | |
| 2155 | |
| 2156 #endif | |
| 2157 | |
| 2146 #if (NGX_PTR_SIZE == 8) | 2158 #if (NGX_PTR_SIZE == 8) |
| 2147 | 2159 |
| 2148 id = sess_id->sess_id; | 2160 id = sess_id->sess_id; |
| 2149 | 2161 |
| 2150 #else | 2162 #else |
| 2151 | 2163 |
| 2152 id = ngx_slab_alloc_locked(shpool, sess->session_id_length); | 2164 id = ngx_slab_alloc_locked(shpool, session_id_length); |
| 2153 | 2165 |
| 2154 if (id == NULL) { | 2166 if (id == NULL) { |
| 2155 | 2167 |
| 2156 /* drop the oldest non-expired session and try once more */ | 2168 /* drop the oldest non-expired session and try once more */ |
| 2157 | 2169 |
| 2158 ngx_ssl_expire_sessions(cache, shpool, 0); | 2170 ngx_ssl_expire_sessions(cache, shpool, 0); |
| 2159 | 2171 |
| 2160 id = ngx_slab_alloc_locked(shpool, sess->session_id_length); | 2172 id = ngx_slab_alloc_locked(shpool, session_id_length); |
| 2161 | 2173 |
| 2162 if (id == NULL) { | 2174 if (id == NULL) { |
| 2163 goto failed; | 2175 goto failed; |
| 2164 } | 2176 } |
| 2165 } | 2177 } |
| 2166 | 2178 |
| 2167 #endif | 2179 #endif |
| 2168 | 2180 |
| 2169 ngx_memcpy(cached_sess, buf, len); | 2181 ngx_memcpy(cached_sess, buf, len); |
| 2170 | 2182 |
| 2171 ngx_memcpy(id, sess->session_id, sess->session_id_length); | 2183 ngx_memcpy(id, session_id, session_id_length); |
| 2172 | 2184 |
| 2173 hash = ngx_crc32_short(sess->session_id, sess->session_id_length); | 2185 hash = ngx_crc32_short(session_id, session_id_length); |
| 2174 | 2186 |
| 2175 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, | 2187 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
| 2176 "ssl new session: %08XD:%d:%d", | 2188 "ssl new session: %08XD:%ud:%d", |
| 2177 hash, sess->session_id_length, len); | 2189 hash, session_id_length, len); |
| 2178 | 2190 |
| 2179 sess_id->node.key = hash; | 2191 sess_id->node.key = hash; |
| 2180 sess_id->node.data = (u_char) sess->session_id_length; | 2192 sess_id->node.data = (u_char) session_id_length; |
| 2181 sess_id->id = id; | 2193 sess_id->id = id; |
| 2182 sess_id->len = len; | 2194 sess_id->len = len; |
| 2183 sess_id->session = cached_sess; | 2195 sess_id->session = cached_sess; |
| 2184 | 2196 |
| 2185 sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx); | 2197 sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx); |
| 2323 | 2335 |
| 2324 | 2336 |
| 2325 static void | 2337 static void |
| 2326 ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) | 2338 ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) |
| 2327 { | 2339 { |
| 2328 size_t len; | |
| 2329 u_char *id; | 2340 u_char *id; |
| 2330 uint32_t hash; | 2341 uint32_t hash; |
| 2331 ngx_int_t rc; | 2342 ngx_int_t rc; |
| 2343 unsigned int len; | |
| 2332 ngx_shm_zone_t *shm_zone; | 2344 ngx_shm_zone_t *shm_zone; |
| 2333 ngx_slab_pool_t *shpool; | 2345 ngx_slab_pool_t *shpool; |
| 2334 ngx_rbtree_node_t *node, *sentinel; | 2346 ngx_rbtree_node_t *node, *sentinel; |
| 2335 ngx_ssl_sess_id_t *sess_id; | 2347 ngx_ssl_sess_id_t *sess_id; |
| 2336 ngx_ssl_session_cache_t *cache; | 2348 ngx_ssl_session_cache_t *cache; |
| 2341 return; | 2353 return; |
| 2342 } | 2354 } |
| 2343 | 2355 |
| 2344 cache = shm_zone->data; | 2356 cache = shm_zone->data; |
| 2345 | 2357 |
| 2358 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL | |
| 2359 | |
| 2360 id = (u_char *) SSL_SESSION_get_id(sess, &len); | |
| 2361 | |
| 2362 #else | |
| 2363 | |
| 2346 id = sess->session_id; | 2364 id = sess->session_id; |
| 2347 len = (size_t) sess->session_id_length; | 2365 len = sess->session_id_length; |
| 2366 | |
| 2367 #endif | |
| 2348 | 2368 |
| 2349 hash = ngx_crc32_short(id, len); | 2369 hash = ngx_crc32_short(id, len); |
| 2350 | 2370 |
| 2351 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, | 2371 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, |
| 2352 "ssl remove session: %08XD:%uz", hash, len); | 2372 "ssl remove session: %08XD:%ud", hash, len); |
| 2353 | 2373 |
| 2354 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; | 2374 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
| 2355 | 2375 |
| 2356 ngx_shmtx_lock(&shpool->mutex); | 2376 ngx_shmtx_lock(&shpool->mutex); |
| 2357 | 2377 |
| 2889 | 2909 |
| 2890 | 2910 |
| 2891 ngx_int_t | 2911 ngx_int_t |
| 2892 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | 2912 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
| 2893 { | 2913 { |
| 2894 int len; | 2914 u_char *buf; |
| 2895 u_char *buf; | 2915 SSL_SESSION *sess; |
| 2896 SSL_SESSION *sess; | 2916 unsigned int len; |
| 2897 | 2917 |
| 2898 sess = SSL_get0_session(c->ssl->connection); | 2918 sess = SSL_get0_session(c->ssl->connection); |
| 2899 if (sess == NULL) { | 2919 if (sess == NULL) { |
| 2900 s->len = 0; | 2920 s->len = 0; |
| 2901 return NGX_OK; | 2921 return NGX_OK; |
| 2902 } | 2922 } |
| 2903 | 2923 |
| 2924 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL | |
| 2925 | |
| 2926 buf = (u_char *) SSL_SESSION_get_id(sess, &len); | |
| 2927 | |
| 2928 #else | |
| 2929 | |
| 2904 buf = sess->session_id; | 2930 buf = sess->session_id; |
| 2905 len = sess->session_id_length; | 2931 len = sess->session_id_length; |
| 2932 | |
| 2933 #endif | |
| 2906 | 2934 |
| 2907 s->len = 2 * len; | 2935 s->len = 2 * len; |
| 2908 s->data = ngx_pnalloc(pool, 2 * len); | 2936 s->data = ngx_pnalloc(pool, 2 * len); |
| 2909 if (s->data == NULL) { | 2937 if (s->data == NULL) { |
| 2910 return NGX_ERROR; | 2938 return NGX_ERROR; |