Mercurial > hg > nginx
annotate src/event/ngx_event_openssl.c @ 3437:90d746a95258 stable-0.7
merge r3283, r3284:
fix segfault if $limit_rate was logged
fix segfault in SSL if limit_rate is used
author | Igor Sysoev <igor@sysoev.ru> |
---|---|
date | Mon, 01 Feb 2010 15:20:43 +0000 |
parents | 966f9cf9c7da |
children | d513f9d30208 |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
4 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
5 |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
6 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
7 #include <ngx_config.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #include <ngx_core.h> |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
9 #include <ngx_event.h> |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 |
541 | 11 |
12 typedef struct { | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
13 ngx_uint_t engine; /* unsigned engine:1; */ |
541 | 14 } ngx_openssl_conf_t; |
479 | 15 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
16 |
671 | 17 static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); |
3339 | 18 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, |
19 int ret); | |
547 | 20 static void ngx_ssl_handshake_handler(ngx_event_t *ev); |
489 | 21 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); |
473 | 22 static void ngx_ssl_write_handler(ngx_event_t *wev); |
23 static void ngx_ssl_read_handler(ngx_event_t *rev); | |
577 | 24 static void ngx_ssl_shutdown_handler(ngx_event_t *ev); |
547 | 25 static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, |
26 ngx_err_t err, char *text); | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
27 static void ngx_ssl_clear_error(ngx_log_t *log); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
28 |
993
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
29 static ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
30 void *data); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
31 static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
32 ngx_ssl_session_t *sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
33 static ngx_ssl_session_t *ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
34 u_char *id, int len, int *copy); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
35 static void ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
36 static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
37 ngx_slab_pool_t *shpool, ngx_uint_t n); |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
38 static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
39 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
40 |
541 | 41 static void *ngx_openssl_create_conf(ngx_cycle_t *cycle); |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
42 static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); |
571 | 43 static void ngx_openssl_exit(ngx_cycle_t *cycle); |
541 | 44 |
45 | |
46 static ngx_command_t ngx_openssl_commands[] = { | |
47 | |
48 { ngx_string("ssl_engine"), | |
49 NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1, | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
50 ngx_openssl_engine, |
541 | 51 0, |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
52 0, |
541 | 53 NULL }, |
54 | |
55 ngx_null_command | |
56 }; | |
57 | |
58 | |
59 static ngx_core_module_t ngx_openssl_module_ctx = { | |
60 ngx_string("openssl"), | |
61 ngx_openssl_create_conf, | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
62 NULL |
577 | 63 }; |
541 | 64 |
65 | |
66 ngx_module_t ngx_openssl_module = { | |
67 NGX_MODULE_V1, | |
68 &ngx_openssl_module_ctx, /* module context */ | |
69 ngx_openssl_commands, /* module directives */ | |
70 NGX_CORE_MODULE, /* module type */ | |
71 NULL, /* init master */ | |
72 NULL, /* init module */ | |
73 NULL, /* init process */ | |
74 NULL, /* init thread */ | |
75 NULL, /* exit thread */ | |
76 NULL, /* exit process */ | |
571 | 77 ngx_openssl_exit, /* exit master */ |
541 | 78 NGX_MODULE_V1_PADDING |
547 | 79 }; |
80 | |
81 | |
82 static long ngx_ssl_protocols[] = { | |
83 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, | |
84 SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, | |
85 SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1, | |
86 SSL_OP_NO_TLSv1, | |
87 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3, | |
88 SSL_OP_NO_SSLv3, | |
89 SSL_OP_NO_SSLv2, | |
90 0, | |
91 }; | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
92 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
93 |
969 | 94 int ngx_ssl_connection_index; |
95 int ngx_ssl_server_conf_index; | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
96 int ngx_ssl_session_cache_index; |
671 | 97 |
98 | |
489 | 99 ngx_int_t |
100 ngx_ssl_init(ngx_log_t *log) | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
101 { |
968 | 102 OPENSSL_config(NULL); |
103 | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
104 SSL_library_init(); |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
105 SSL_load_error_strings(); |
541 | 106 |
479 | 107 ENGINE_load_builtin_engines(); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
108 |
969 | 109 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
671 | 110 |
969 | 111 if (ngx_ssl_connection_index == -1) { |
671 | 112 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed"); |
113 return NGX_ERROR; | |
114 } | |
115 | |
969 | 116 ngx_ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
117 NULL); | |
118 if (ngx_ssl_server_conf_index == -1) { | |
119 ngx_ssl_error(NGX_LOG_ALERT, log, 0, | |
120 "SSL_CTX_get_ex_new_index() failed"); | |
121 return NGX_ERROR; | |
122 } | |
123 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
124 ngx_ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
125 NULL); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
126 if (ngx_ssl_session_cache_index == -1) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
127 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
128 "SSL_CTX_get_ex_new_index() failed"); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
129 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
130 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
131 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
132 return NGX_OK; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
133 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
134 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
135 |
489 | 136 ngx_int_t |
969 | 137 ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) |
547 | 138 { |
577 | 139 ssl->ctx = SSL_CTX_new(SSLv23_method()); |
547 | 140 |
141 if (ssl->ctx == NULL) { | |
142 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed"); | |
143 return NGX_ERROR; | |
144 } | |
145 | |
969 | 146 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) { |
147 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
148 "SSL_CTX_set_ex_data() failed"); | |
149 return NGX_ERROR; | |
150 } | |
151 | |
577 | 152 /* client side options */ |
153 | |
154 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); | |
155 SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); | |
156 SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG); | |
157 | |
158 /* server side options */ | |
563 | 159 |
160 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); | |
161 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); | |
162 | |
163 /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ | |
164 SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); | |
165 | |
166 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); | |
167 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG); | |
168 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); | |
169 | |
170 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); | |
171 | |
2044 | 172 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); |
547 | 173 |
174 if (ngx_ssl_protocols[protocols >> 1] != 0) { | |
175 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); | |
176 } | |
177 | |
178 SSL_CTX_set_read_ahead(ssl->ctx, 1); | |
179 | |
3339 | 180 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); |
181 | |
547 | 182 return NGX_OK; |
183 } | |
184 | |
185 | |
186 ngx_int_t | |
563 | 187 ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
188 ngx_str_t *key) | |
547 | 189 { |
2536
a6d6d762c554
small optimization: " == NGX_ERROR" > " != NGX_OK"
Igor Sysoev <igor@sysoev.ru>
parents:
2504
diff
changeset
|
190 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { |
547 | 191 return NGX_ERROR; |
192 } | |
193 | |
563 | 194 if (SSL_CTX_use_certificate_chain_file(ssl->ctx, (char *) cert->data) |
547 | 195 == 0) |
196 { | |
197 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
563 | 198 "SSL_CTX_use_certificate_chain_file(\"%s\") failed", |
199 cert->data); | |
200 return NGX_ERROR; | |
201 } | |
202 | |
2536
a6d6d762c554
small optimization: " == NGX_ERROR" > " != NGX_OK"
Igor Sysoev <igor@sysoev.ru>
parents:
2504
diff
changeset
|
203 if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) { |
563 | 204 return NGX_ERROR; |
205 } | |
206 | |
207 if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data, | |
647 | 208 SSL_FILETYPE_PEM) |
209 == 0) | |
563 | 210 { |
211 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
212 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data); | |
547 | 213 return NGX_ERROR; |
214 } | |
215 | |
216 return NGX_OK; | |
217 } | |
218 | |
219 | |
220 ngx_int_t | |
671 | 221 ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
222 ngx_int_t depth) | |
647 | 223 { |
671 | 224 STACK_OF(X509_NAME) *list; |
225 | |
226 SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_http_ssl_verify_callback); | |
227 | |
228 SSL_CTX_set_verify_depth(ssl->ctx, depth); | |
229 | |
230 if (cert->len == 0) { | |
231 return NGX_OK; | |
232 } | |
233 | |
2536
a6d6d762c554
small optimization: " == NGX_ERROR" > " != NGX_OK"
Igor Sysoev <igor@sysoev.ru>
parents:
2504
diff
changeset
|
234 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { |
647 | 235 return NGX_ERROR; |
236 } | |
237 | |
238 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) | |
239 == 0) | |
240 { | |
241 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
242 "SSL_CTX_load_verify_locations(\"%s\") failed", | |
243 cert->data); | |
244 return NGX_ERROR; | |
245 } | |
246 | |
671 | 247 list = SSL_load_client_CA_file((char *) cert->data); |
248 | |
249 if (list == NULL) { | |
250 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
251 "SSL_load_client_CA_file(\"%s\") failed", cert->data); | |
252 return NGX_ERROR; | |
253 } | |
254 | |
255 /* | |
256 * before 0.9.7h and 0.9.8 SSL_load_client_CA_file() | |
257 * always leaved an error in the error queue | |
258 */ | |
259 | |
260 ERR_clear_error(); | |
261 | |
262 SSL_CTX_set_client_CA_list(ssl->ctx, list); | |
263 | |
647 | 264 return NGX_OK; |
265 } | |
266 | |
267 | |
3243
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
268 ngx_int_t |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
269 ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl) |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
270 { |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
271 X509_STORE *store; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
272 X509_LOOKUP *lookup; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
273 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
274 if (crl->len == 0) { |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
275 return NGX_OK; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
276 } |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
277 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
278 if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) { |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
279 return NGX_ERROR; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
280 } |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
281 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
282 store = SSL_CTX_get_cert_store(ssl->ctx); |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
283 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
284 if (store == NULL) { |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
285 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
286 "SSL_CTX_get_cert_store() failed"); |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
287 return NGX_ERROR; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
288 } |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
289 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
290 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
291 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
292 if (lookup == NULL) { |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
293 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
294 "X509_STORE_add_lookup() failed"); |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
295 return NGX_ERROR; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
296 } |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
297 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
298 if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM) |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
299 == 0) |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
300 { |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
301 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
302 "X509_LOOKUP_load_file(\"%s\") failed", crl->data); |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
303 return NGX_ERROR; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
304 } |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
305 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
306 X509_STORE_set_flags(store, |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
307 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
308 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
309 return NGX_OK; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
310 } |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
311 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
312 |
671 | 313 static int |
314 ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) | |
315 { | |
1977
40c9cb8576bb
get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents:
1976
diff
changeset
|
316 #if (NGX_DEBUG) |
671 | 317 char *subject, *issuer; |
318 int err, depth; | |
319 X509 *cert; | |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
320 X509_NAME *sname, *iname; |
671 | 321 ngx_connection_t *c; |
322 ngx_ssl_conn_t *ssl_conn; | |
323 | |
324 ssl_conn = X509_STORE_CTX_get_ex_data(x509_store, | |
325 SSL_get_ex_data_X509_STORE_CTX_idx()); | |
326 | |
327 c = ngx_ssl_get_connection(ssl_conn); | |
328 | |
329 cert = X509_STORE_CTX_get_current_cert(x509_store); | |
330 err = X509_STORE_CTX_get_error(x509_store); | |
331 depth = X509_STORE_CTX_get_error_depth(x509_store); | |
332 | |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
333 sname = X509_get_subject_name(cert); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
334 subject = sname ? X509_NAME_oneline(sname, NULL, 0) : "(none)"; |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
335 |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
336 iname = X509_get_issuer_name(cert); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
337 issuer = iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)"; |
671 | 338 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
339 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, |
671 | 340 "verify:%d, error:%d, depth:%d, " |
341 "subject:\"%s\",issuer: \"%s\"", | |
342 ok, err, depth, subject, issuer); | |
343 | |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
344 if (sname) { |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
345 OPENSSL_free(subject); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
346 } |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
347 |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
348 if (iname) { |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
349 OPENSSL_free(issuer); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
350 } |
1977
40c9cb8576bb
get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents:
1976
diff
changeset
|
351 #endif |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
352 |
671 | 353 return 1; |
354 } | |
355 | |
356 | |
3339 | 357 static void |
358 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) | |
359 { | |
360 ngx_connection_t *c; | |
361 | |
362 if (where & SSL_CB_HANDSHAKE_START) { | |
363 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); | |
364 | |
365 if (c->ssl->handshaked) { | |
366 c->ssl->renegotiation = 1; | |
367 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); | |
368 } | |
369 } | |
370 } | |
371 | |
372 | |
647 | 373 ngx_int_t |
547 | 374 ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl) |
375 { | |
671 | 376 RSA *key; |
377 | |
559 | 378 if (SSL_CTX_need_tmp_RSA(ssl->ctx) == 0) { |
379 return NGX_OK; | |
380 } | |
381 | |
671 | 382 key = RSA_generate_key(512, RSA_F4, NULL, NULL); |
547 | 383 |
671 | 384 if (key) { |
385 SSL_CTX_set_tmp_rsa(ssl->ctx, key); | |
386 | |
387 RSA_free(key); | |
388 | |
547 | 389 return NGX_OK; |
390 } | |
391 | |
392 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "RSA_generate_key(512) failed"); | |
393 | |
394 return NGX_ERROR; | |
395 } | |
396 | |
397 | |
398 ngx_int_t | |
2044 | 399 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) |
400 { | |
401 DH *dh; | |
402 BIO *bio; | |
403 | |
404 /* | |
405 * -----BEGIN DH PARAMETERS----- | |
406 * MIGHAoGBALu8LcrYRnSQfEP89YDpz9vZWKP1aLQtSwju1OsPs1BMbAMCducQgAxc | |
407 * y7qokiYUxb7spWWl/fHSh6K8BJvmd4Bg6RqSp1fjBI9osHb302zI8pul34HcLKcl | |
408 * 7OZicMyaUDXYzs7vnqAnSmOrHlj6/UmI0PZdFGdX2gcd8EXP4WubAgEC | |
409 * -----END DH PARAMETERS----- | |
410 */ | |
411 | |
412 static unsigned char dh1024_p[] = { | |
413 0xBB, 0xBC, 0x2D, 0xCA, 0xD8, 0x46, 0x74, 0x90, 0x7C, 0x43, 0xFC, 0xF5, | |
414 0x80, 0xE9, 0xCF, 0xDB, 0xD9, 0x58, 0xA3, 0xF5, 0x68, 0xB4, 0x2D, 0x4B, | |
415 0x08, 0xEE, 0xD4, 0xEB, 0x0F, 0xB3, 0x50, 0x4C, 0x6C, 0x03, 0x02, 0x76, | |
416 0xE7, 0x10, 0x80, 0x0C, 0x5C, 0xCB, 0xBA, 0xA8, 0x92, 0x26, 0x14, 0xC5, | |
417 0xBE, 0xEC, 0xA5, 0x65, 0xA5, 0xFD, 0xF1, 0xD2, 0x87, 0xA2, 0xBC, 0x04, | |
418 0x9B, 0xE6, 0x77, 0x80, 0x60, 0xE9, 0x1A, 0x92, 0xA7, 0x57, 0xE3, 0x04, | |
419 0x8F, 0x68, 0xB0, 0x76, 0xF7, 0xD3, 0x6C, 0xC8, 0xF2, 0x9B, 0xA5, 0xDF, | |
420 0x81, 0xDC, 0x2C, 0xA7, 0x25, 0xEC, 0xE6, 0x62, 0x70, 0xCC, 0x9A, 0x50, | |
421 0x35, 0xD8, 0xCE, 0xCE, 0xEF, 0x9E, 0xA0, 0x27, 0x4A, 0x63, 0xAB, 0x1E, | |
422 0x58, 0xFA, 0xFD, 0x49, 0x88, 0xD0, 0xF6, 0x5D, 0x14, 0x67, 0x57, 0xDA, | |
423 0x07, 0x1D, 0xF0, 0x45, 0xCF, 0xE1, 0x6B, 0x9B | |
424 }; | |
425 | |
426 static unsigned char dh1024_g[] = { 0x02 }; | |
427 | |
428 | |
429 if (file->len == 0) { | |
430 | |
431 dh = DH_new(); | |
432 if (dh == NULL) { | |
433 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "DH_new() failed"); | |
434 return NGX_ERROR; | |
435 } | |
436 | |
437 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); | |
438 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); | |
439 | |
440 if (dh->p == NULL || dh->g == NULL) { | |
441 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "BN_bin2bn() failed"); | |
442 DH_free(dh); | |
443 return NGX_ERROR; | |
444 } | |
445 | |
446 SSL_CTX_set_tmp_dh(ssl->ctx, dh); | |
447 | |
448 DH_free(dh); | |
449 | |
450 return NGX_OK; | |
451 } | |
452 | |
2536
a6d6d762c554
small optimization: " == NGX_ERROR" > " != NGX_OK"
Igor Sysoev <igor@sysoev.ru>
parents:
2504
diff
changeset
|
453 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
2044 | 454 return NGX_ERROR; |
455 } | |
456 | |
457 bio = BIO_new_file((char *) file->data, "r"); | |
458 if (bio == NULL) { | |
459 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
460 "BIO_new_file(\"%s\") failed", file->data); | |
461 return NGX_ERROR; | |
462 } | |
463 | |
464 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); | |
465 if (dh == NULL) { | |
466 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
467 "PEM_read_bio_DHparams(\"%s\") failed", file->data); | |
468 BIO_free(bio); | |
469 return NGX_ERROR; | |
470 } | |
471 | |
472 SSL_CTX_set_tmp_dh(ssl->ctx, dh); | |
473 | |
474 DH_free(dh); | |
475 BIO_free(bio); | |
476 | |
477 return NGX_OK; | |
478 } | |
479 | |
480 | |
481 ngx_int_t | |
547 | 482 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) |
577 | 483 { |
547 | 484 ngx_ssl_connection_t *sc; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
485 |
547 | 486 sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t)); |
487 if (sc == NULL) { | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
488 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
489 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
490 |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
491 sc->buffer = ((flags & NGX_SSL_BUFFER) != 0); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
492 |
547 | 493 sc->connection = SSL_new(ssl->ctx); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
494 |
547 | 495 if (sc->connection == NULL) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
496 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_new() failed"); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
497 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
498 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
499 |
547 | 500 if (SSL_set_fd(sc->connection, c->fd) == 0) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
501 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_fd() failed"); |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
502 return NGX_ERROR; |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
503 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
504 |
577 | 505 if (flags & NGX_SSL_CLIENT) { |
506 SSL_set_connect_state(sc->connection); | |
507 | |
508 } else { | |
509 SSL_set_accept_state(sc->connection); | |
510 } | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
511 |
969 | 512 if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) { |
671 | 513 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed"); |
514 return NGX_ERROR; | |
515 } | |
516 | |
547 | 517 c->ssl = sc; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
518 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
519 return NGX_OK; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
520 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
521 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
522 |
547 | 523 ngx_int_t |
577 | 524 ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session) |
525 { | |
526 if (session) { | |
527 if (SSL_set_session(c->ssl->connection, session) == 0) { | |
528 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_session() failed"); | |
529 return NGX_ERROR; | |
530 } | |
531 } | |
532 | |
533 return NGX_OK; | |
534 } | |
535 | |
536 | |
537 ngx_int_t | |
547 | 538 ngx_ssl_handshake(ngx_connection_t *c) |
539 { | |
540 int n, sslerr; | |
541 ngx_err_t err; | |
542 | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
543 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
544 |
547 | 545 n = SSL_do_handshake(c->ssl->connection); |
546 | |
577 | 547 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n); |
547 | 548 |
549 if (n == 1) { | |
550 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
551 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
547 | 552 return NGX_ERROR; |
553 } | |
554 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
555 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
547 | 556 return NGX_ERROR; |
557 } | |
558 | |
559 #if (NGX_DEBUG) | |
560 { | |
561 char buf[129], *s, *d; | |
562 SSL_CIPHER *cipher; | |
563 | |
564 cipher = SSL_get_current_cipher(c->ssl->connection); | |
565 | |
566 if (cipher) { | |
567 SSL_CIPHER_description(cipher, &buf[1], 128); | |
568 | |
569 for (s = &buf[1], d = buf; *s; s++) { | |
570 if (*s == ' ' && *d == ' ') { | |
571 continue; | |
572 } | |
573 | |
574 if (*s == LF || *s == CR) { | |
575 continue; | |
576 } | |
577 | |
578 *++d = *s; | |
579 } | |
580 | |
581 if (*d != ' ') { | |
582 d++; | |
583 } | |
584 | |
585 *d = '\0'; | |
586 | |
583 | 587 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
547 | 588 "SSL: %s, cipher: \"%s\"", |
577 | 589 SSL_get_version(c->ssl->connection), &buf[1]); |
547 | 590 |
591 if (SSL_session_reused(c->ssl->connection)) { | |
583 | 592 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
547 | 593 "SSL reused session"); |
594 } | |
595 | |
596 } else { | |
597 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
577 | 598 "SSL no shared ciphers"); |
547 | 599 } |
600 } | |
601 #endif | |
602 | |
603 c->ssl->handshaked = 1; | |
604 | |
605 c->recv = ngx_ssl_recv; | |
606 c->send = ngx_ssl_write; | |
577 | 607 c->recv_chain = ngx_ssl_recv_chain; |
608 c->send_chain = ngx_ssl_send_chain; | |
547 | 609 |
3339 | 610 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ |
611 if (c->ssl->connection->s3) { | |
612 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; | |
613 } | |
614 | |
547 | 615 return NGX_OK; |
616 } | |
617 | |
618 sslerr = SSL_get_error(c->ssl->connection, n); | |
619 | |
620 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); | |
621 | |
622 if (sslerr == SSL_ERROR_WANT_READ) { | |
623 c->read->ready = 0; | |
624 c->read->handler = ngx_ssl_handshake_handler; | |
591 | 625 c->write->handler = ngx_ssl_handshake_handler; |
547 | 626 |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
627 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
547 | 628 return NGX_ERROR; |
629 } | |
630 | |
631 return NGX_AGAIN; | |
632 } | |
633 | |
634 if (sslerr == SSL_ERROR_WANT_WRITE) { | |
635 c->write->ready = 0; | |
591 | 636 c->read->handler = ngx_ssl_handshake_handler; |
547 | 637 c->write->handler = ngx_ssl_handshake_handler; |
638 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
639 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
547 | 640 return NGX_ERROR; |
641 } | |
642 | |
643 return NGX_AGAIN; | |
644 } | |
645 | |
646 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; | |
647 | |
648 c->ssl->no_wait_shutdown = 1; | |
649 c->ssl->no_send_shutdown = 1; | |
591 | 650 c->read->eof = 1; |
547 | 651 |
652 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { | |
653 ngx_log_error(NGX_LOG_INFO, c->log, err, | |
577 | 654 "peer closed connection in SSL handshake"); |
547 | 655 |
656 return NGX_ERROR; | |
657 } | |
658 | |
591 | 659 c->read->error = 1; |
660 | |
547 | 661 ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed"); |
662 | |
663 return NGX_ERROR; | |
664 } | |
665 | |
666 | |
667 static void | |
668 ngx_ssl_handshake_handler(ngx_event_t *ev) | |
669 { | |
670 ngx_connection_t *c; | |
671 | |
672 c = ev->data; | |
673 | |
549 | 674 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
577 | 675 "SSL handshake handler: %d", ev->write); |
547 | 676 |
591 | 677 if (ev->timedout) { |
678 c->ssl->handler(c); | |
679 return; | |
680 } | |
681 | |
547 | 682 if (ngx_ssl_handshake(c) == NGX_AGAIN) { |
683 return; | |
684 } | |
685 | |
686 c->ssl->handler(c); | |
687 } | |
688 | |
689 | |
489 | 690 ssize_t |
577 | 691 ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl) |
692 { | |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
693 u_char *last; |
577 | 694 ssize_t n, bytes; |
695 ngx_buf_t *b; | |
696 | |
697 bytes = 0; | |
698 | |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
699 b = cl->buf; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
700 last = b->last; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
701 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
702 for ( ;; ) { |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
703 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
704 n = ngx_ssl_recv(c, last, b->end - last); |
577 | 705 |
706 if (n > 0) { | |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
707 last += n; |
577 | 708 bytes += n; |
709 | |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
710 if (last == b->end) { |
577 | 711 cl = cl->next; |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
712 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
713 if (cl == NULL) { |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
714 return bytes; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
715 } |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
716 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
717 b = cl->buf; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
718 last = b->last; |
577 | 719 } |
720 | |
721 continue; | |
722 } | |
723 | |
724 if (bytes) { | |
2052
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
725 |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
726 if (n == 0 || n == NGX_ERROR) { |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
727 c->read->ready = 1; |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
728 } |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
729 |
577 | 730 return bytes; |
731 } | |
732 | |
733 return n; | |
734 } | |
735 } | |
736 | |
737 | |
738 ssize_t | |
489 | 739 ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size) |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
740 { |
489 | 741 int n, bytes; |
742 | |
743 if (c->ssl->last == NGX_ERROR) { | |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
744 c->read->error = 1; |
489 | 745 return NGX_ERROR; |
746 } | |
747 | |
577 | 748 if (c->ssl->last == NGX_DONE) { |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
749 c->read->ready = 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
750 c->read->eof = 1; |
577 | 751 return 0; |
752 } | |
753 | |
489 | 754 bytes = 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
755 |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
756 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
757 |
489 | 758 /* |
759 * SSL_read() may return data in parts, so try to read | |
760 * until SSL_read() would return no data | |
761 */ | |
762 | |
763 for ( ;; ) { | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
764 |
543 | 765 n = SSL_read(c->ssl->connection, buf, size); |
489 | 766 |
577 | 767 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
768 |
489 | 769 if (n > 0) { |
770 bytes += n; | |
771 } | |
772 | |
773 c->ssl->last = ngx_ssl_handle_recv(c, n); | |
774 | |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
775 if (c->ssl->last == NGX_OK) { |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
776 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
777 size -= n; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
778 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
779 if (size == 0) { |
489 | 780 return bytes; |
577 | 781 } |
489 | 782 |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
783 buf += n; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
784 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
785 continue; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
786 } |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
787 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
788 if (bytes) { |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
789 return bytes; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
790 } |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
791 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
792 switch (c->ssl->last) { |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
793 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
794 case NGX_DONE: |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
795 c->read->ready = 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
796 c->read->eof = 1; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
797 return 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
798 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
799 case NGX_ERROR: |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
800 c->read->error = 1; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
801 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
802 /* fall thruogh */ |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
803 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
804 case NGX_AGAIN: |
577 | 805 return c->ssl->last; |
479 | 806 } |
489 | 807 } |
808 } | |
809 | |
810 | |
811 static ngx_int_t | |
812 ngx_ssl_handle_recv(ngx_connection_t *c, int n) | |
813 { | |
547 | 814 int sslerr; |
815 ngx_err_t err; | |
489 | 816 |
3339 | 817 if (c->ssl->renegotiation) { |
818 /* | |
819 * disable renegotiation (CVE-2009-3555): | |
820 * OpenSSL (at least up to 0.9.8l) does not handle disabled | |
821 * renegotiation gracefully, so drop connection here | |
822 */ | |
823 | |
824 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled"); | |
825 | |
826 c->ssl->no_wait_shutdown = 1; | |
827 c->ssl->no_send_shutdown = 1; | |
828 | |
829 return NGX_ERROR; | |
830 } | |
831 | |
489 | 832 if (n > 0) { |
479 | 833 |
473 | 834 if (c->ssl->saved_write_handler) { |
835 | |
509 | 836 c->write->handler = c->ssl->saved_write_handler; |
473 | 837 c->ssl->saved_write_handler = NULL; |
838 c->write->ready = 1; | |
839 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
840 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
473 | 841 return NGX_ERROR; |
842 } | |
843 | |
563 | 844 ngx_post_event(c->write, &ngx_posted_events); |
473 | 845 } |
846 | |
489 | 847 return NGX_OK; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
848 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
849 |
543 | 850 sslerr = SSL_get_error(c->ssl->connection, n); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
851 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
852 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
853 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
854 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
855 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
856 if (sslerr == SSL_ERROR_WANT_READ) { |
455 | 857 c->read->ready = 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
858 return NGX_AGAIN; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
859 } |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
860 |
445
f26432a1935a
nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents:
444
diff
changeset
|
861 if (sslerr == SSL_ERROR_WANT_WRITE) { |
539 | 862 |
547 | 863 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
577 | 864 "peer started SSL renegotiation"); |
473 | 865 |
866 c->write->ready = 0; | |
867 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
868 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
473 | 869 return NGX_ERROR; |
870 } | |
871 | |
872 /* | |
873 * we do not set the timer because there is already the read event timer | |
874 */ | |
875 | |
876 if (c->ssl->saved_write_handler == NULL) { | |
509 | 877 c->ssl->saved_write_handler = c->write->handler; |
878 c->write->handler = ngx_ssl_write_handler; | |
473 | 879 } |
880 | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
881 return NGX_AGAIN; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
882 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
883 |
547 | 884 c->ssl->no_wait_shutdown = 1; |
885 c->ssl->no_send_shutdown = 1; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
886 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
887 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { |
577 | 888 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
889 "peer shutdown SSL cleanly"); | |
890 return NGX_DONE; | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
891 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
892 |
547 | 893 ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed"); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
894 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
895 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
896 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
897 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
898 |
489 | 899 static void |
900 ngx_ssl_write_handler(ngx_event_t *wev) | |
473 | 901 { |
902 ngx_connection_t *c; | |
903 | |
904 c = wev->data; | |
547 | 905 |
509 | 906 c->read->handler(c->read); |
473 | 907 } |
908 | |
909 | |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
910 /* |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
911 * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer |
473 | 912 * before the SSL_write() call to decrease a SSL overhead. |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
913 * |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
914 * Besides for protocols such as HTTP it is possible to always buffer |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
915 * the output to decrease a SSL overhead some more. |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
916 */ |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
917 |
489 | 918 ngx_chain_t * |
919 ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
920 { |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
921 int n; |
399
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
398
diff
changeset
|
922 ngx_uint_t flush; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
923 ssize_t send, size; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
924 ngx_buf_t *buf; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
925 |
2280
6453161bf53e
always use buffer, if connection is buffered,
Igor Sysoev <igor@sysoev.ru>
parents:
2165
diff
changeset
|
926 if (!c->ssl->buffer) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
927 |
577 | 928 while (in) { |
929 if (ngx_buf_special(in->buf)) { | |
930 in = in->next; | |
931 continue; | |
932 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
933 |
577 | 934 n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos); |
935 | |
936 if (n == NGX_ERROR) { | |
937 return NGX_CHAIN_ERROR; | |
938 } | |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
939 |
577 | 940 if (n == NGX_AGAIN) { |
597 | 941 c->buffered |= NGX_SSL_BUFFERED; |
577 | 942 return in; |
943 } | |
944 | |
945 in->buf->pos += n; | |
946 | |
947 if (in->buf->pos == in->buf->last) { | |
948 in = in->next; | |
949 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
950 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
951 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
952 return in; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
953 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
954 |
473 | 955 |
956 /* the maximum limit size is the maximum uint32_t value - the page size */ | |
957 | |
1354
f69d1aab6a0f
make 64-bit ngx_int_t on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1352
diff
changeset
|
958 if (limit == 0 || limit > (off_t) (NGX_MAX_UINT32_VALUE - ngx_pagesize)) { |
473 | 959 limit = NGX_MAX_UINT32_VALUE - ngx_pagesize; |
960 } | |
961 | |
577 | 962 buf = c->ssl->buf; |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
963 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
964 if (buf == NULL) { |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
965 buf = ngx_create_temp_buf(c->pool, NGX_SSL_BUFSIZE); |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
966 if (buf == NULL) { |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
967 return NGX_CHAIN_ERROR; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
968 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
969 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
970 c->ssl->buf = buf; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
971 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
972 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
973 if (buf->start == NULL) { |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
974 buf->start = ngx_palloc(c->pool, NGX_SSL_BUFSIZE); |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
975 if (buf->start == NULL) { |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
976 return NGX_CHAIN_ERROR; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
977 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
978 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
979 buf->pos = buf->start; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
980 buf->last = buf->start; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
981 buf->end = buf->start + NGX_SSL_BUFSIZE; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
982 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
983 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
984 send = 0; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
985 flush = (in == NULL) ? 1 : 0; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
986 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
987 for ( ;; ) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
988 |
3437 | 989 while (in && buf->last < buf->end && send < limit) { |
583 | 990 if (in->buf->last_buf || in->buf->flush) { |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
991 flush = 1; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
992 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
993 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
994 if (ngx_buf_special(in->buf)) { |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
995 in = in->next; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
996 continue; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
997 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
998 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
999 size = in->buf->last - in->buf->pos; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1000 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1001 if (size > buf->end - buf->last) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1002 size = buf->end - buf->last; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1003 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1004 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1005 if (send + size > limit) { |
577 | 1006 size = (ssize_t) (limit - send); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1007 flush = 1; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1008 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1009 |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1010 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1011 "SSL buf copy: %d", size); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1012 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1013 ngx_memcpy(buf->last, in->buf->pos, size); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1014 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1015 buf->last += size; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1016 in->buf->pos += size; |
3437 | 1017 send += size; |
577 | 1018 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1019 if (in->buf->pos == in->buf->last) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1020 in = in->next; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1021 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1022 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1023 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1024 size = buf->last - buf->pos; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1025 |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1026 if (!flush && buf->last < buf->end && c->ssl->buffer) { |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1027 break; |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1028 } |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1029 |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1030 n = ngx_ssl_write(c, buf->pos, size); |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1031 |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1032 if (n == NGX_ERROR) { |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1033 return NGX_CHAIN_ERROR; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1034 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1035 |
511 | 1036 if (n == NGX_AGAIN) { |
597 | 1037 c->buffered |= NGX_SSL_BUFFERED; |
511 | 1038 return in; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1039 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1040 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1041 buf->pos += n; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1042 c->sent += n; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1043 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1044 if (n < size) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1045 break; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1046 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1047 |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1048 if (buf->pos == buf->last) { |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1049 buf->pos = buf->start; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1050 buf->last = buf->start; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1051 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1052 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1053 if (in == NULL || send == limit) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1054 break; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1055 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1056 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1057 |
597 | 1058 if (buf->pos < buf->last) { |
1059 c->buffered |= NGX_SSL_BUFFERED; | |
1060 | |
1061 } else { | |
1062 c->buffered &= ~NGX_SSL_BUFFERED; | |
1063 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1064 |
399
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
398
diff
changeset
|
1065 return in; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1066 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1067 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1068 |
539 | 1069 ssize_t |
489 | 1070 ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1071 { |
547 | 1072 int n, sslerr; |
1073 ngx_err_t err; | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1074 |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1075 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1076 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1077 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %d", size); |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1078 |
543 | 1079 n = SSL_write(c->ssl->connection, data, size); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1080 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1081 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n); |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1082 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1083 if (n > 0) { |
539 | 1084 |
473 | 1085 if (c->ssl->saved_read_handler) { |
1086 | |
509 | 1087 c->read->handler = c->ssl->saved_read_handler; |
473 | 1088 c->ssl->saved_read_handler = NULL; |
1089 c->read->ready = 1; | |
1090 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1091 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
473 | 1092 return NGX_ERROR; |
1093 } | |
1094 | |
563 | 1095 ngx_post_event(c->read, &ngx_posted_events); |
473 | 1096 } |
1097 | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1098 return n; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1099 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1100 |
543 | 1101 sslerr = SSL_get_error(c->ssl->connection, n); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1102 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1103 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1104 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1105 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1106 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1107 if (sslerr == SSL_ERROR_WANT_WRITE) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1108 c->write->ready = 0; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1109 return NGX_AGAIN; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1110 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1111 |
445
f26432a1935a
nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents:
444
diff
changeset
|
1112 if (sslerr == SSL_ERROR_WANT_READ) { |
452 | 1113 |
547 | 1114 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
577 | 1115 "peer started SSL renegotiation"); |
473 | 1116 |
1117 c->read->ready = 0; | |
1118 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1119 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
473 | 1120 return NGX_ERROR; |
1121 } | |
1122 | |
1123 /* | |
1124 * we do not set the timer because there is already | |
1125 * the write event timer | |
1126 */ | |
1127 | |
1128 if (c->ssl->saved_read_handler == NULL) { | |
509 | 1129 c->ssl->saved_read_handler = c->read->handler; |
1130 c->read->handler = ngx_ssl_read_handler; | |
473 | 1131 } |
1132 | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1133 return NGX_AGAIN; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1134 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1135 |
547 | 1136 c->ssl->no_wait_shutdown = 1; |
1137 c->ssl->no_send_shutdown = 1; | |
591 | 1138 c->write->error = 1; |
543 | 1139 |
547 | 1140 ngx_ssl_connection_error(c, sslerr, err, "SSL_write() failed"); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1141 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1142 return NGX_ERROR; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1143 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1144 |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1145 |
489 | 1146 static void |
1147 ngx_ssl_read_handler(ngx_event_t *rev) | |
473 | 1148 { |
1149 ngx_connection_t *c; | |
1150 | |
1151 c = rev->data; | |
547 | 1152 |
509 | 1153 c->write->handler(c->write); |
473 | 1154 } |
1155 | |
1156 | |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1157 void |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1158 ngx_ssl_free_buffer(ngx_connection_t *c) |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1159 { |
1795
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
1160 if (c->ssl->buf && c->ssl->buf->start) { |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
1161 if (ngx_pfree(c->pool, c->ssl->buf->start) == NGX_OK) { |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
1162 c->ssl->buf->start = NULL; |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
1163 } |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1164 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1165 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1166 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1167 |
489 | 1168 ngx_int_t |
1169 ngx_ssl_shutdown(ngx_connection_t *c) | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1170 { |
1754
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1171 int n, sslerr, mode; |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1172 ngx_err_t err; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1173 |
577 | 1174 if (c->timedout) { |
547 | 1175 mode = SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN; |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
1176 |
547 | 1177 } else { |
1178 mode = SSL_get_shutdown(c->ssl->connection); | |
473 | 1179 |
547 | 1180 if (c->ssl->no_wait_shutdown) { |
1181 mode |= SSL_RECEIVED_SHUTDOWN; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
1182 } |
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
1183 |
547 | 1184 if (c->ssl->no_send_shutdown) { |
1185 mode |= SSL_SENT_SHUTDOWN; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
1186 } |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1187 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1188 |
547 | 1189 SSL_set_shutdown(c->ssl->connection, mode); |
1190 | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1191 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1192 |
1754
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1193 n = SSL_shutdown(c->ssl->connection); |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1194 |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1195 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1196 |
461 | 1197 sslerr = 0; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1198 |
1860 | 1199 /* SSL_shutdown() never returns -1, on error it returns 0 */ |
543 | 1200 |
1865
4bcbb0fe5c8d
fix bogus crit log message "SSL_shutdown() failed" introduced in r1755
Igor Sysoev <igor@sysoev.ru>
parents:
1861
diff
changeset
|
1201 if (n != 1 && ERR_peek_error()) { |
543 | 1202 sslerr = SSL_get_error(c->ssl->connection, n); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1203 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
1204 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
1205 "SSL_get_error: %d", sslerr); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1206 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1207 |
1865
4bcbb0fe5c8d
fix bogus crit log message "SSL_shutdown() failed" introduced in r1755
Igor Sysoev <igor@sysoev.ru>
parents:
1861
diff
changeset
|
1208 if (n == 1 || sslerr == 0 || sslerr == SSL_ERROR_ZERO_RETURN) { |
1754
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1209 SSL_free(c->ssl->connection); |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1210 c->ssl = NULL; |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1211 |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1212 return NGX_OK; |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1213 } |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1214 |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1215 if (sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE) { |
577 | 1216 c->read->handler = ngx_ssl_shutdown_handler; |
589 | 1217 c->write->handler = ngx_ssl_shutdown_handler; |
577 | 1218 |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1219 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1220 return NGX_ERROR; |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1221 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1222 |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1223 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1224 return NGX_ERROR; |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1225 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1226 |
1754
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1227 if (sslerr == SSL_ERROR_WANT_READ) { |
589 | 1228 ngx_add_timer(c->read, 30000); |
1229 } | |
1230 | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1231 return NGX_AGAIN; |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1232 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1233 |
591 | 1234 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
1235 | |
1236 ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed"); | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1237 |
543 | 1238 SSL_free(c->ssl->connection); |
1239 c->ssl = NULL; | |
1240 | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1241 return NGX_ERROR; |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1242 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1243 |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1244 |
547 | 1245 static void |
577 | 1246 ngx_ssl_shutdown_handler(ngx_event_t *ev) |
1247 { | |
1248 ngx_connection_t *c; | |
1249 ngx_connection_handler_pt handler; | |
1250 | |
1251 c = ev->data; | |
1252 handler = c->ssl->handler; | |
1253 | |
1254 if (ev->timedout) { | |
1255 c->timedout = 1; | |
1256 } | |
1257 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1258 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler"); |
577 | 1259 |
1260 if (ngx_ssl_shutdown(c) == NGX_AGAIN) { | |
1261 return; | |
1262 } | |
1263 | |
1264 handler(c); | |
1265 } | |
1266 | |
1267 | |
1268 static void | |
547 | 1269 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, |
1270 char *text) | |
1271 { | |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1272 int n; |
547 | 1273 ngx_uint_t level; |
1274 | |
1275 level = NGX_LOG_CRIT; | |
1276 | |
1277 if (sslerr == SSL_ERROR_SYSCALL) { | |
1278 | |
1279 if (err == NGX_ECONNRESET | |
1280 || err == NGX_EPIPE | |
1281 || err == NGX_ENOTCONN | |
589 | 1282 || err == NGX_ETIMEDOUT |
547 | 1283 || err == NGX_ECONNREFUSED |
1869
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
1284 || err == NGX_ENETDOWN |
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
1285 || err == NGX_ENETUNREACH |
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
1286 || err == NGX_EHOSTDOWN |
547 | 1287 || err == NGX_EHOSTUNREACH) |
1288 { | |
1289 switch (c->log_error) { | |
1290 | |
1291 case NGX_ERROR_IGNORE_ECONNRESET: | |
1292 case NGX_ERROR_INFO: | |
1293 level = NGX_LOG_INFO; | |
1294 break; | |
1295 | |
1296 case NGX_ERROR_ERR: | |
1297 level = NGX_LOG_ERR; | |
1298 break; | |
1299 | |
1300 default: | |
1301 break; | |
1302 } | |
1303 } | |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1304 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1305 } else if (sslerr == SSL_ERROR_SSL) { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1306 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1307 n = ERR_GET_REASON(ERR_peek_error()); |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1308 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1309 /* handshake failures */ |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1310 if (n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1311 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1312 || n == SSL_R_NO_SHARED_CIPHER /* 193 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1313 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1314 || n == SSL_R_UNEXPECTED_RECORD /* 245 */ |
3430
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1315 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1316 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1317 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ |
1877
a55876dff8f5
low SSL handshake close notify alert error level
Igor Sysoev <igor@sysoev.ru>
parents:
1876
diff
changeset
|
1318 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1319 || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1320 || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1321 || n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1322 || n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1323 || n == SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE /* 1030 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1324 || n == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE /* 1040 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1325 || n == SSL_R_SSLV3_ALERT_NO_CERTIFICATE /* 1041 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1326 || n == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE /* 1042 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1327 || n == SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE /* 1043 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1328 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED /* 1044 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1329 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED /* 1045 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1330 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN /* 1046 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1331 || n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER /* 1047 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1332 || n == SSL_R_TLSV1_ALERT_UNKNOWN_CA /* 1048 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1333 || n == SSL_R_TLSV1_ALERT_ACCESS_DENIED /* 1049 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1334 || n == SSL_R_TLSV1_ALERT_DECODE_ERROR /* 1050 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1335 || n == SSL_R_TLSV1_ALERT_DECRYPT_ERROR /* 1051 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1336 || n == SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION /* 1060 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1337 || n == SSL_R_TLSV1_ALERT_PROTOCOL_VERSION /* 1070 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1338 || n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1339 || n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1340 || n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1341 || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION) /* 1100 */ |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1342 { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1343 switch (c->log_error) { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1344 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1345 case NGX_ERROR_IGNORE_ECONNRESET: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1346 case NGX_ERROR_INFO: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1347 level = NGX_LOG_INFO; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1348 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1349 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1350 case NGX_ERROR_ERR: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1351 level = NGX_LOG_ERR; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1352 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1353 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1354 default: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1355 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1356 } |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1357 } |
547 | 1358 } |
1359 | |
1360 ngx_ssl_error(level, c->log, err, text); | |
1361 } | |
1362 | |
1363 | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1364 static void |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1365 ngx_ssl_clear_error(ngx_log_t *log) |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1366 { |
1868 | 1367 while (ERR_peek_error()) { |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1368 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error"); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1369 } |
1868 | 1370 |
1371 ERR_clear_error(); | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1372 } |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1373 |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1374 |
583 | 1375 void ngx_cdecl |
489 | 1376 ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...) |
577 | 1377 { |
1861 | 1378 u_long n; |
1379 va_list args; | |
1380 u_char *p, *last; | |
1381 u_char errstr[NGX_MAX_CONF_ERRSTR]; | |
461 | 1382 |
1383 last = errstr + NGX_MAX_CONF_ERRSTR; | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1384 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1385 va_start(args, fmt); |
2764
d4a717592877
use ngx_vslprintf(), ngx_slprintf()
Igor Sysoev <igor@sysoev.ru>
parents:
2720
diff
changeset
|
1386 p = ngx_vslprintf(errstr, last - 1, fmt, args); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1387 va_end(args); |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1388 |
547 | 1389 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); |
1390 | |
1861 | 1391 for ( ;; ) { |
583 | 1392 |
1393 n = ERR_get_error(); | |
1394 | |
1395 if (n == 0) { | |
1396 break; | |
1397 } | |
547 | 1398 |
1861 | 1399 if (p >= last) { |
1400 continue; | |
1401 } | |
1402 | |
547 | 1403 *p++ = ' '; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1404 |
547 | 1405 ERR_error_string_n(n, (char *) p, last - p); |
1406 | |
1407 while (p < last && *p) { | |
1408 p++; | |
1409 } | |
1410 } | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1411 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1412 ngx_log_error(level, log, err, "%s)", errstr); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1413 } |
509 | 1414 |
1415 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1416 ngx_int_t |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1417 ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1418 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1419 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1420 long cache_mode; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1421 |
1778 | 1422 if (builtin_session_cache == NGX_SSL_NO_SCACHE) { |
1423 SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF); | |
1424 return NGX_OK; | |
1425 } | |
1426 | |
2032 | 1427 if (builtin_session_cache == NGX_SSL_NONE_SCACHE) { |
1428 | |
1429 /* | |
1430 * If the server explicitly says that it does not support | |
1431 * session reuse (see SSL_SESS_CACHE_OFF above), then | |
1432 * Outlook Express fails to upload a sent email to | |
1433 * the Sent Items folder on the IMAP server via a separate IMAP | |
1434 * connection in the background. Therefore we have a special | |
1435 * mode (SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE) | |
1436 * where the server pretends that it supports session reuse, | |
1437 * but it does not actually store any session. | |
1438 */ | |
1439 | |
1440 SSL_CTX_set_session_cache_mode(ssl->ctx, | |
1441 SSL_SESS_CACHE_SERVER | |
1442 |SSL_SESS_CACHE_NO_AUTO_CLEAR | |
1443 |SSL_SESS_CACHE_NO_INTERNAL_STORE); | |
1444 | |
1445 SSL_CTX_sess_set_cache_size(ssl->ctx, 1); | |
1446 | |
1447 return NGX_OK; | |
1448 } | |
1449 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1450 cache_mode = SSL_SESS_CACHE_SERVER; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1451 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1452 if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1453 cache_mode |= SSL_SESS_CACHE_NO_INTERNAL; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1454 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1455 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1456 SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1457 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1458 SSL_CTX_set_session_id_context(ssl->ctx, sess_ctx->data, sess_ctx->len); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1459 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1460 if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1461 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1462 if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1463 SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1464 } |
1015
32ebb6b13ff3
ssl_session_timeout was set only if builtin cache was used
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
1465 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1466 |
2710 | 1467 SSL_CTX_set_timeout(ssl->ctx, (long) timeout); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1468 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1469 if (shm_zone) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1470 shm_zone->init = ngx_ssl_session_cache_init; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1471 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1472 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1473 SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1474 SSL_CTX_sess_set_remove_cb(ssl->ctx, ngx_ssl_remove_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1475 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1476 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_cache_index, shm_zone) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1477 == 0) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1478 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1479 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1480 "SSL_CTX_set_ex_data() failed"); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1481 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1482 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1483 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1484 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1485 return NGX_OK; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1486 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1487 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1488 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1489 static ngx_int_t |
993
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
1490 ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1491 { |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1492 size_t len; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1493 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1494 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1495 |
993
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
1496 if (data) { |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
1497 shm_zone->data = data; |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
1498 return NGX_OK; |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
1499 } |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
1500 |
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
1501 if (shm_zone->shm.exists) { |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
1502 shm_zone->data = data; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
1503 return NGX_OK; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
1504 } |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
1505 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1506 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1507 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1508 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t)); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1509 if (cache == NULL) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1510 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1511 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1512 |
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
1513 shpool->data = cache; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
1514 shm_zone->data = cache; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
1515 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1516 ngx_rbtree_init(&cache->session_rbtree, &cache->sentinel, |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1517 ngx_ssl_session_rbtree_insert_value); |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1518 |
1760 | 1519 ngx_queue_init(&cache->expire_queue); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1520 |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
1521 len = sizeof(" in SSL session shared cache \"\"") + shm_zone->shm.name.len; |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1522 |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1523 shpool->log_ctx = ngx_slab_alloc(shpool, len); |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1524 if (shpool->log_ctx == NULL) { |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1525 return NGX_ERROR; |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1526 } |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1527 |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1528 ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z", |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
1529 &shm_zone->shm.name); |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1530 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1531 return NGX_OK; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1532 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1533 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1534 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1535 /* |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1536 * The length of the session id is 16 bytes for SSLv2 sessions and |
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1537 * between 1 and 32 bytes for SSLv3/TLSv1, typically 32 bytes. |
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1538 * It seems that the typical length of the external ASN1 representation |
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1539 * of a session is 118 or 119 bytes for SSLv3/TSLv1. |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1540 * |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1541 * Thus on 32-bit platforms we allocate separately an rbtree node, |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1542 * a session id, and an ASN1 representation, they take accordingly |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1543 * 64, 32, and 128 bytes. |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1544 * |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1545 * On 64-bit platforms we allocate separately an rbtree node + session_id, |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1546 * and an ASN1 representation, they take accordingly 128 and 128 bytes. |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1547 * |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1548 * OpenSSL's i2d_SSL_SESSION() and d2i_SSL_SESSION are slow, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1549 * so they are outside the code locked by shared pool mutex |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1550 */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1551 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1552 static int |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1553 ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1554 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1555 int len; |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1556 u_char *p, *id, *cached_sess; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1557 uint32_t hash; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1558 SSL_CTX *ssl_ctx; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1559 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1560 ngx_connection_t *c; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1561 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1562 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1563 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1564 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1565 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1566 len = i2d_SSL_SESSION(sess, NULL); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1567 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1568 /* do not cache too big session */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1569 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1570 if (len > (int) NGX_SSL_MAX_SESSION_SIZE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1571 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1572 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1573 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1574 p = buf; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1575 i2d_SSL_SESSION(sess, &p); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1576 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1577 c = ngx_ssl_get_connection(ssl_conn); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1578 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1579 ssl_ctx = SSL_get_SSL_CTX(ssl_conn); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1580 shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1581 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1582 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1583 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1584 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1585 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1586 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1587 /* drop one or two expired sessions */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1588 ngx_ssl_expire_sessions(cache, shpool, 1); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1589 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1590 cached_sess = ngx_slab_alloc_locked(shpool, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1591 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1592 if (cached_sess == NULL) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1593 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1594 /* drop the oldest non-expired session and try once more */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1595 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1596 ngx_ssl_expire_sessions(cache, shpool, 0); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1597 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1598 cached_sess = ngx_slab_alloc_locked(shpool, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1599 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1600 if (cached_sess == NULL) { |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1601 sess_id = NULL; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1602 goto failed; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1603 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1604 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1605 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1606 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t)); |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1607 if (sess_id == NULL) { |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1608 goto failed; |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1609 } |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1610 |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1611 #if (NGX_PTR_SIZE == 8) |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1612 |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1613 id = sess_id->sess_id; |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1614 |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1615 #else |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1616 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1617 id = ngx_slab_alloc_locked(shpool, sess->session_id_length); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1618 if (id == NULL) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1619 goto failed; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1620 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1621 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1622 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1623 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1624 ngx_memcpy(cached_sess, buf, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1625 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1626 ngx_memcpy(id, sess->session_id, sess->session_id_length); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1627 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1628 hash = ngx_crc32_short(sess->session_id, sess->session_id_length); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1629 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1630 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
3430
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1631 "ssl new session: %08XD:%d:%d", |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1632 hash, sess->session_id_length, len); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1633 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1634 sess_id->node.key = hash; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1635 sess_id->node.data = (u_char) sess->session_id_length; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1636 sess_id->id = id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1637 sess_id->len = len; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1638 sess_id->session = cached_sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1639 |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
1640 sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1641 |
1760 | 1642 ngx_queue_insert_head(&cache->expire_queue, &sess_id->queue); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1643 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1644 ngx_rbtree_insert(&cache->session_rbtree, &sess_id->node); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1645 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1646 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1647 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1648 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1649 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1650 failed: |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1651 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1652 if (cached_sess) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1653 ngx_slab_free_locked(shpool, cached_sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1654 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1655 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1656 if (sess_id) { |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1657 ngx_slab_free_locked(shpool, sess_id); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1658 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1659 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1660 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1661 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1662 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1663 "could not add new SSL session to the session cache"); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1664 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1665 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1666 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1667 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1668 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1669 static ngx_ssl_session_t * |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1670 ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, u_char *id, int len, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1671 int *copy) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1672 { |
989
5595e47d4f17
d2i_SSL_SESSION() was changed in 0.9.7f
Igor Sysoev <igor@sysoev.ru>
parents:
974
diff
changeset
|
1673 #if OPENSSL_VERSION_NUMBER >= 0x0090707fL |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1674 const |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1675 #endif |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1676 u_char *p; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1677 uint32_t hash; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1678 ngx_int_t rc; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1679 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1680 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1681 ngx_connection_t *c; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1682 ngx_rbtree_node_t *node, *sentinel; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1683 ngx_ssl_session_t *sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1684 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1685 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1686 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1687 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1688 c = ngx_ssl_get_connection(ssl_conn); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1689 |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1690 hash = ngx_crc32_short(id, (size_t) len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1691 *copy = 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1692 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1693 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
3430
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1694 "ssl get session: %08XD:%d", hash, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1695 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1696 shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn), |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1697 ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1698 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1699 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1700 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1701 sess = NULL; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1702 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1703 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1704 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1705 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1706 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1707 node = cache->session_rbtree.root; |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1708 sentinel = cache->session_rbtree.sentinel; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1709 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1710 while (node != sentinel) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1711 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1712 if (hash < node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1713 node = node->left; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1714 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1715 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1716 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1717 if (hash > node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1718 node = node->right; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1719 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1720 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1721 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1722 /* hash == node->key */ |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1723 |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1724 do { |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1725 sess_id = (ngx_ssl_sess_id_t *) node; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1726 |
1029
ce08bc4cb97b
ngx_strn2cmp() > ngx_memn2cmp()
Igor Sysoev <igor@sysoev.ru>
parents:
1027
diff
changeset
|
1727 rc = ngx_memn2cmp(id, sess_id->id, |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1728 (size_t) len, (size_t) node->data); |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1729 if (rc == 0) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1730 |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
1731 if (sess_id->expire > ngx_time()) { |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1732 ngx_memcpy(buf, sess_id->session, sess_id->len); |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1733 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1734 ngx_shmtx_unlock(&shpool->mutex); |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1735 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1736 p = buf; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1737 sess = d2i_SSL_SESSION(NULL, &p, sess_id->len); |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1738 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1739 return sess; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1740 } |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1741 |
1760 | 1742 ngx_queue_remove(&sess_id->queue); |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1743 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1744 ngx_rbtree_delete(&cache->session_rbtree, node); |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1745 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1746 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1747 #if (NGX_PTR_SIZE == 4) |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1748 ngx_slab_free_locked(shpool, sess_id->id); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1749 #endif |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1750 ngx_slab_free_locked(shpool, sess_id); |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1751 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1752 sess = NULL; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1753 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1754 goto done; |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1755 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1756 |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1757 node = (rc < 0) ? node->left : node->right; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1758 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1759 } while (node != sentinel && hash == node->key); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1760 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1761 break; |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1762 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1763 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1764 done: |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1765 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1766 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1767 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1768 return sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1769 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1770 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1771 |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1772 void |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1773 ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1774 { |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1775 SSL_CTX_remove_session(ssl, sess); |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1776 |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1777 ngx_ssl_remove_session(ssl, sess); |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1778 } |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1779 |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1780 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1781 static void |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1782 ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1783 { |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1784 size_t len; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1785 u_char *id; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1786 uint32_t hash; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1787 ngx_int_t rc; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1788 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1789 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1790 ngx_rbtree_node_t *node, *sentinel; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1791 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1792 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1793 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1794 shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1795 |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1796 if (shm_zone == NULL) { |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1797 return; |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1798 } |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1799 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1800 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1801 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1802 id = sess->session_id; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1803 len = (size_t) sess->session_id_length; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1804 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1805 hash = ngx_crc32_short(id, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1806 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1807 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, |
3430
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1808 "ssl remove session: %08XD:%uz", hash, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1809 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1810 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1811 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1812 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1813 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1814 node = cache->session_rbtree.root; |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1815 sentinel = cache->session_rbtree.sentinel; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1816 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1817 while (node != sentinel) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1818 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1819 if (hash < node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1820 node = node->left; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1821 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1822 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1823 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1824 if (hash > node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1825 node = node->right; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1826 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1827 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1828 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1829 /* hash == node->key */ |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1830 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1831 do { |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1832 sess_id = (ngx_ssl_sess_id_t *) node; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1833 |
1029
ce08bc4cb97b
ngx_strn2cmp() > ngx_memn2cmp()
Igor Sysoev <igor@sysoev.ru>
parents:
1027
diff
changeset
|
1834 rc = ngx_memn2cmp(id, sess_id->id, len, (size_t) node->data); |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1835 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1836 if (rc == 0) { |
1760 | 1837 |
1838 ngx_queue_remove(&sess_id->queue); | |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1839 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1840 ngx_rbtree_delete(&cache->session_rbtree, node); |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1841 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1842 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1843 #if (NGX_PTR_SIZE == 4) |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1844 ngx_slab_free_locked(shpool, sess_id->id); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1845 #endif |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1846 ngx_slab_free_locked(shpool, sess_id); |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1847 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1848 goto done; |
1025 | 1849 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1850 |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1851 node = (rc < 0) ? node->left : node->right; |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1852 |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1853 } while (node != sentinel && hash == node->key); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1854 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1855 break; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1856 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1857 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1858 done: |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1859 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1860 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1861 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1862 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1863 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1864 static void |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1865 ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1866 ngx_slab_pool_t *shpool, ngx_uint_t n) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1867 { |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
1868 time_t now; |
1760 | 1869 ngx_queue_t *q; |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1870 ngx_ssl_sess_id_t *sess_id; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1871 |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
1872 now = ngx_time(); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1873 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1874 while (n < 3) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1875 |
1760 | 1876 if (ngx_queue_empty(&cache->expire_queue)) { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1877 return; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1878 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1879 |
1760 | 1880 q = ngx_queue_last(&cache->expire_queue); |
1881 | |
1882 sess_id = ngx_queue_data(q, ngx_ssl_sess_id_t, queue); | |
1883 | |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
1884 if (n++ != 0 && sess_id->expire > now) { |
1439 | 1885 return; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1886 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1887 |
1760 | 1888 ngx_queue_remove(q); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1889 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1890 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1891 "expire session: %08Xi", sess_id->node.key); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1892 |
1760 | 1893 ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node); |
1894 | |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1895 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1896 #if (NGX_PTR_SIZE == 4) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1897 ngx_slab_free_locked(shpool, sess_id->id); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1898 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1899 ngx_slab_free_locked(shpool, sess_id); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1900 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1901 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1902 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1903 |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1904 static void |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1905 ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1906 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel) |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1907 { |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1908 ngx_rbtree_node_t **p; |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1909 ngx_ssl_sess_id_t *sess_id, *sess_id_temp; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1910 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1911 for ( ;; ) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1912 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1913 if (node->key < temp->key) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1914 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1915 p = &temp->left; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1916 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1917 } else if (node->key > temp->key) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1918 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1919 p = &temp->right; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1920 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1921 } else { /* node->key == temp->key */ |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1922 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1923 sess_id = (ngx_ssl_sess_id_t *) node; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1924 sess_id_temp = (ngx_ssl_sess_id_t *) temp; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1925 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1926 p = (ngx_memn2cmp(sess_id->id, sess_id_temp->id, |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1927 (size_t) node->data, (size_t) temp->data) |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1928 < 0) ? &temp->left : &temp->right; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1929 } |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1930 |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1931 if (*p == sentinel) { |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1932 break; |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1933 } |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1934 |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1935 temp = *p; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1936 } |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1937 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1938 *p = node; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1939 node->parent = temp; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1940 node->left = sentinel; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1941 node->right = sentinel; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1942 ngx_rbt_red(node); |
1043
7073b87fa8e9
style fix: remove trailing spaces
Igor Sysoev <igor@sysoev.ru>
parents:
1029
diff
changeset
|
1943 } |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1944 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1945 |
509 | 1946 void |
1947 ngx_ssl_cleanup_ctx(void *data) | |
1948 { | |
589 | 1949 ngx_ssl_t *ssl = data; |
509 | 1950 |
589 | 1951 SSL_CTX_free(ssl->ctx); |
509 | 1952 } |
541 | 1953 |
1954 | |
671 | 1955 ngx_int_t |
1956 ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
611 | 1957 { |
671 | 1958 s->data = (u_char *) SSL_get_version(c->ssl->connection); |
1959 return NGX_OK; | |
611 | 1960 } |
1961 | |
1962 | |
671 | 1963 ngx_int_t |
1964 ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
611 | 1965 { |
671 | 1966 s->data = (u_char *) SSL_get_cipher_name(c->ssl->connection); |
1967 return NGX_OK; | |
611 | 1968 } |
1969 | |
1970 | |
647 | 1971 ngx_int_t |
3430
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1972 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1973 { |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1974 int len; |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1975 u_char *p, *buf; |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1976 SSL_SESSION *sess; |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1977 |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1978 sess = SSL_get0_session(c->ssl->connection); |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1979 |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1980 len = i2d_SSL_SESSION(sess, NULL); |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1981 |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1982 buf = ngx_alloc(len, c->log); |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1983 if (buf == NULL) { |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1984 return NGX_ERROR; |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1985 } |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1986 |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1987 s->len = 2 * len; |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1988 s->data = ngx_pnalloc(pool, 2 * len); |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1989 if (s->data == NULL) { |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1990 ngx_free(buf); |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1991 return NGX_ERROR; |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1992 } |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1993 |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1994 p = buf; |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1995 i2d_SSL_SESSION(sess, &p); |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1996 |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1997 ngx_hex_dump(s->data, buf, len); |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1998 |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
1999 ngx_free(buf); |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
2000 |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
2001 return NGX_OK; |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
2002 } |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
2003 |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
2004 |
966f9cf9c7da
merge r3155, r3156, r3160, r969, r3191, r3197, r3358:
Igor Sysoev <igor@sysoev.ru>
parents:
3339
diff
changeset
|
2005 ngx_int_t |
2123 | 2006 ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2045 | 2007 { |
2008 size_t len; | |
2009 BIO *bio; | |
2010 X509 *cert; | |
2011 | |
2012 s->len = 0; | |
2013 | |
2014 cert = SSL_get_peer_certificate(c->ssl->connection); | |
2015 if (cert == NULL) { | |
2016 return NGX_OK; | |
2017 } | |
2018 | |
2019 bio = BIO_new(BIO_s_mem()); | |
2020 if (bio == NULL) { | |
2021 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); | |
2022 X509_free(cert); | |
2023 return NGX_ERROR; | |
2024 } | |
2025 | |
2026 if (PEM_write_bio_X509(bio, cert) == 0) { | |
2027 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed"); | |
2028 goto failed; | |
2029 } | |
2030 | |
2031 len = BIO_pending(bio); | |
2032 s->len = len; | |
2033 | |
2049 | 2034 s->data = ngx_pnalloc(pool, len); |
2045 | 2035 if (s->data == NULL) { |
2036 goto failed; | |
2037 } | |
2038 | |
2039 BIO_read(bio, s->data, len); | |
2040 | |
2041 BIO_free(bio); | |
2042 X509_free(cert); | |
2043 | |
2044 return NGX_OK; | |
2045 | |
2046 failed: | |
2047 | |
2048 BIO_free(bio); | |
2049 X509_free(cert); | |
2050 | |
2051 return NGX_ERROR; | |
2052 } | |
2053 | |
2054 | |
2055 ngx_int_t | |
2123 | 2056 ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2057 { | |
2058 u_char *p; | |
2059 size_t len; | |
2060 ngx_uint_t i; | |
2061 ngx_str_t cert; | |
2062 | |
2063 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) { | |
2064 return NGX_ERROR; | |
2065 } | |
2066 | |
2067 if (cert.len == 0) { | |
2068 s->len = 0; | |
2069 return NGX_OK; | |
2070 } | |
2071 | |
2072 len = cert.len - 1; | |
2073 | |
2074 for (i = 0; i < cert.len - 1; i++) { | |
2075 if (cert.data[i] == LF) { | |
2076 len++; | |
2077 } | |
2078 } | |
2079 | |
2080 s->len = len; | |
2081 s->data = ngx_pnalloc(pool, len); | |
2082 if (s->data == NULL) { | |
2083 return NGX_ERROR; | |
2084 } | |
2085 | |
2086 p = s->data; | |
2087 | |
3243
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2088 for (i = 0; i < cert.len - 1; i++) { |
2123 | 2089 *p++ = cert.data[i]; |
2090 if (cert.data[i] == LF) { | |
2091 *p++ = '\t'; | |
2092 } | |
2093 } | |
2094 | |
2095 return NGX_OK; | |
2096 } | |
2097 | |
2098 | |
2099 ngx_int_t | |
647 | 2100 ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2101 { | |
2102 char *p; | |
2103 size_t len; | |
2104 X509 *cert; | |
2105 X509_NAME *name; | |
2106 | |
2107 s->len = 0; | |
2108 | |
2109 cert = SSL_get_peer_certificate(c->ssl->connection); | |
2110 if (cert == NULL) { | |
2111 return NGX_OK; | |
2112 } | |
2113 | |
2114 name = X509_get_subject_name(cert); | |
2115 if (name == NULL) { | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2116 X509_free(cert); |
647 | 2117 return NGX_ERROR; |
2118 } | |
2119 | |
2120 p = X509_NAME_oneline(name, NULL, 0); | |
2121 | |
2122 for (len = 0; p[len]; len++) { /* void */ } | |
2123 | |
2124 s->len = len; | |
2049 | 2125 s->data = ngx_pnalloc(pool, len); |
647 | 2126 if (s->data == NULL) { |
2127 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2128 X509_free(cert); |
647 | 2129 return NGX_ERROR; |
2130 } | |
2131 | |
2132 ngx_memcpy(s->data, p, len); | |
2133 | |
2134 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2135 X509_free(cert); |
647 | 2136 |
2137 return NGX_OK; | |
2138 } | |
2139 | |
2140 | |
2141 ngx_int_t | |
2142 ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
2143 { | |
2144 char *p; | |
2145 size_t len; | |
2146 X509 *cert; | |
2147 X509_NAME *name; | |
2148 | |
2149 s->len = 0; | |
2150 | |
2151 cert = SSL_get_peer_certificate(c->ssl->connection); | |
2152 if (cert == NULL) { | |
2153 return NGX_OK; | |
2154 } | |
2155 | |
2156 name = X509_get_issuer_name(cert); | |
2157 if (name == NULL) { | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2158 X509_free(cert); |
647 | 2159 return NGX_ERROR; |
2160 } | |
2161 | |
2162 p = X509_NAME_oneline(name, NULL, 0); | |
2163 | |
2164 for (len = 0; p[len]; len++) { /* void */ } | |
2165 | |
2166 s->len = len; | |
2049 | 2167 s->data = ngx_pnalloc(pool, len); |
647 | 2168 if (s->data == NULL) { |
2169 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2170 X509_free(cert); |
647 | 2171 return NGX_ERROR; |
2172 } | |
2173 | |
2174 ngx_memcpy(s->data, p, len); | |
2175 | |
2176 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2177 X509_free(cert); |
647 | 2178 |
2179 return NGX_OK; | |
2180 } | |
2181 | |
2182 | |
671 | 2183 ngx_int_t |
2184 ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
2185 { | |
2186 size_t len; | |
2187 X509 *cert; | |
2188 BIO *bio; | |
2189 | |
2190 s->len = 0; | |
2191 | |
2192 cert = SSL_get_peer_certificate(c->ssl->connection); | |
2193 if (cert == NULL) { | |
2194 return NGX_OK; | |
2195 } | |
2196 | |
2197 bio = BIO_new(BIO_s_mem()); | |
2198 if (bio == NULL) { | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2199 X509_free(cert); |
671 | 2200 return NGX_ERROR; |
2201 } | |
2202 | |
2203 i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)); | |
2204 len = BIO_pending(bio); | |
2205 | |
2206 s->len = len; | |
2049 | 2207 s->data = ngx_pnalloc(pool, len); |
671 | 2208 if (s->data == NULL) { |
2209 BIO_free(bio); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2210 X509_free(cert); |
671 | 2211 return NGX_ERROR; |
2212 } | |
2213 | |
2214 BIO_read(bio, s->data, len); | |
2215 BIO_free(bio); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2216 X509_free(cert); |
671 | 2217 |
2218 return NGX_OK; | |
2219 } | |
2220 | |
2221 | |
3243
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2222 ngx_int_t |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2223 ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2224 { |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2225 X509 *cert; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2226 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2227 if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) { |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2228 s->len = sizeof("FAILED") - 1; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2229 s->data = (u_char *) "FAILED"; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2230 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2231 return NGX_OK; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2232 } |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2233 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2234 cert = SSL_get_peer_certificate(c->ssl->connection); |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2235 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2236 if (cert) { |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2237 s->len = sizeof("SUCCESS") - 1; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2238 s->data = (u_char *) "SUCCESS"; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2239 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2240 } else { |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2241 s->len = sizeof("NONE") - 1; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2242 s->data = (u_char *) "NONE"; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2243 } |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2244 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2245 X509_free(cert); |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2246 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2247 return NGX_OK; |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2248 } |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2249 |
08570d26c7c5
merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232:
Igor Sysoev <igor@sysoev.ru>
parents:
3237
diff
changeset
|
2250 |
541 | 2251 static void * |
2252 ngx_openssl_create_conf(ngx_cycle_t *cycle) | |
2253 { | |
2254 ngx_openssl_conf_t *oscf; | |
577 | 2255 |
541 | 2256 oscf = ngx_pcalloc(cycle->pool, sizeof(ngx_openssl_conf_t)); |
2257 if (oscf == NULL) { | |
3237
2efa8d2fcde1
merge r2903, r2911, r2912, r3002:
Igor Sysoev <igor@sysoev.ru>
parents:
2764
diff
changeset
|
2258 return NULL; |
541 | 2259 } |
577 | 2260 |
541 | 2261 /* |
2262 * set by ngx_pcalloc(): | |
577 | 2263 * |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2264 * oscf->engine = 0; |
577 | 2265 */ |
541 | 2266 |
2267 return oscf; | |
2268 } | |
2269 | |
2270 | |
2271 static char * | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2272 ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
541 | 2273 { |
2274 ngx_openssl_conf_t *oscf = conf; | |
571 | 2275 |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2276 ENGINE *engine; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2277 ngx_str_t *value; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2278 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2279 if (oscf->engine) { |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2280 return "is duplicate"; |
541 | 2281 } |
577 | 2282 |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2283 oscf->engine = 1; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2284 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2285 value = cf->args->elts; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2286 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2287 engine = ENGINE_by_id((const char *) value[1].data); |
541 | 2288 |
2289 if (engine == NULL) { | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2290 ngx_ssl_error(NGX_LOG_WARN, cf->log, 0, |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2291 "ENGINE_by_id(\"%V\") failed", &value[1]); |
541 | 2292 return NGX_CONF_ERROR; |
2293 } | |
2294 | |
2295 if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) { | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2296 ngx_ssl_error(NGX_LOG_WARN, cf->log, 0, |
541 | 2297 "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed", |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2298 &value[1]); |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2299 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2300 ENGINE_free(engine); |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2301 |
541 | 2302 return NGX_CONF_ERROR; |
2303 } | |
2304 | |
2305 ENGINE_free(engine); | |
2306 | |
2307 return NGX_CONF_OK; | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2308 } |
571 | 2309 |
2310 | |
2311 static void | |
2312 ngx_openssl_exit(ngx_cycle_t *cycle) | |
2313 { | |
2314 ENGINE_cleanup(); | |
2315 } |