nxt_openssl.c (1818:fa6569d00fe4) nxt_openssl.c (1828:c548e46fe516)
1
2/*
3 * Copyright (C) Igor Sysoev
4 * Copyright (C) NGINX, Inc.
5 */
6
7#include <nxt_main.h>
8#include <openssl/ssl.h>
9#include <openssl/conf.h>
10#include <openssl/err.h>
11#include <openssl/rand.h>
1
2/*
3 * Copyright (C) Igor Sysoev
4 * Copyright (C) NGINX, Inc.
5 */
6
7#include <nxt_main.h>
8#include <openssl/ssl.h>
9#include <openssl/conf.h>
10#include <openssl/err.h>
11#include <openssl/rand.h>
12#include <openssl/x509v3.h>
12
13
14typedef struct {
13
14
15typedef struct {
15 SSL *session;
16 nxt_conn_t *conn;
16 SSL *session;
17 nxt_conn_t *conn;
17
18
18 int ssl_error;
19 uint8_t times; /* 2 bits */
20 uint8_t handshake; /* 1 bit */
19 int ssl_error;
20 uint8_t times; /* 2 bits */
21 uint8_t handshake; /* 1 bit */
21
22
22 nxt_buf_mem_t buffer;
23 nxt_tls_conf_t *conf;
24 nxt_buf_mem_t buffer;
23} nxt_openssl_conn_t;
24
25
26typedef enum {
27 NXT_OPENSSL_HANDSHAKE = 0,
28 NXT_OPENSSL_READ,
29 NXT_OPENSSL_WRITE,
30 NXT_OPENSSL_SHUTDOWN,

--- 4 unchanged lines hidden (view full) ---

35static void nxt_openssl_library_free(nxt_task_t *task);
36#if OPENSSL_VERSION_NUMBER < 0x10100004L
37static nxt_int_t nxt_openssl_locks_init(void);
38static void nxt_openssl_lock(int mode, int type, const char *file, int line);
39static unsigned long nxt_openssl_thread_id(void);
40static void nxt_openssl_locks_free(void);
41#endif
42static nxt_int_t nxt_openssl_server_init(nxt_task_t *task,
25} nxt_openssl_conn_t;
26
27
28typedef enum {
29 NXT_OPENSSL_HANDSHAKE = 0,
30 NXT_OPENSSL_READ,
31 NXT_OPENSSL_WRITE,
32 NXT_OPENSSL_SHUTDOWN,

--- 4 unchanged lines hidden (view full) ---

37static void nxt_openssl_library_free(nxt_task_t *task);
38#if OPENSSL_VERSION_NUMBER < 0x10100004L
39static nxt_int_t nxt_openssl_locks_init(void);
40static void nxt_openssl_lock(int mode, int type, const char *file, int line);
41static unsigned long nxt_openssl_thread_id(void);
42static void nxt_openssl_locks_free(void);
43#endif
44static nxt_int_t nxt_openssl_server_init(nxt_task_t *task,
43 nxt_tls_conf_t *conf);
44static nxt_int_t nxt_openssl_chain_file(SSL_CTX *ctx, nxt_fd_t fd);
45 nxt_tls_conf_t *conf, nxt_mp_t *mp, nxt_bool_t last);
46static nxt_int_t nxt_openssl_chain_file(nxt_task_t *task, SSL_CTX *ctx,
47 nxt_tls_conf_t *conf, nxt_mp_t *mp, nxt_bool_t single);
48static nxt_uint_t nxt_openssl_cert_get_names(nxt_task_t *task, X509 *cert,
49 nxt_tls_conf_t *conf, nxt_mp_t *mp);
50static nxt_int_t nxt_openssl_bundle_hash_test(nxt_lvlhsh_query_t *lhq,
51 void *data);
52static nxt_int_t nxt_openssl_bundle_hash_insert(nxt_task_t *task,
53 nxt_lvlhsh_t *lvlhsh, nxt_tls_bundle_hash_item_t *item, nxt_mp_t * mp);
54static nxt_int_t nxt_openssl_servername(SSL *s, int *ad, void *arg);
55static nxt_tls_bundle_conf_t *nxt_openssl_find_ctx(nxt_tls_conf_t *conf,
56 nxt_str_t *sn);
45static void nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf);
46static void nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf,
47 nxt_conn_t *c);
48static void nxt_openssl_conn_handshake(nxt_task_t *task, void *obj, void *data);
49static ssize_t nxt_openssl_conn_io_recvbuf(nxt_conn_t *c, nxt_buf_t *b);
50static ssize_t nxt_openssl_conn_io_sendbuf(nxt_task_t *task, nxt_sendbuf_t *sb);
51static ssize_t nxt_openssl_conn_io_send(nxt_task_t *task, nxt_sendbuf_t *sb,
52 void *buf, size_t size);

--- 187 unchanged lines hidden (view full) ---

240
241 OPENSSL_free(nxt_openssl_locks);
242}
243
244#endif
245
246
247static nxt_int_t
57static void nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf);
58static void nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf,
59 nxt_conn_t *c);
60static void nxt_openssl_conn_handshake(nxt_task_t *task, void *obj, void *data);
61static ssize_t nxt_openssl_conn_io_recvbuf(nxt_conn_t *c, nxt_buf_t *b);
62static ssize_t nxt_openssl_conn_io_sendbuf(nxt_task_t *task, nxt_sendbuf_t *sb);
63static ssize_t nxt_openssl_conn_io_send(nxt_task_t *task, nxt_sendbuf_t *sb,
64 void *buf, size_t size);

--- 187 unchanged lines hidden (view full) ---

252
253 OPENSSL_free(nxt_openssl_locks);
254}
255
256#endif
257
258
259static nxt_int_t
248nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf)
260nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf,
261 nxt_mp_t *mp, nxt_bool_t last)
249{
262{
250 SSL_CTX *ctx;
251 nxt_fd_t fd;
252 const char *ciphers, *ca_certificate;
253 STACK_OF(X509_NAME) *list;
263 SSL_CTX *ctx;
264 const char *ciphers, *ca_certificate;
265 STACK_OF(X509_NAME) *list;
266 nxt_tls_bundle_conf_t *bundle;
254
255 ctx = SSL_CTX_new(SSLv23_server_method());
256 if (ctx == NULL) {
257 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_CTX_new() failed");
258 return NXT_ERROR;
259 }
260
267
268 ctx = SSL_CTX_new(SSLv23_server_method());
269 if (ctx == NULL) {
270 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_CTX_new() failed");
271 return NXT_ERROR;
272 }
273
261 conf->ctx = ctx;
262 conf->conn_init = nxt_openssl_conn_init;
274 bundle = conf->bundle;
275 nxt_assert(bundle != NULL);
263
276
277 bundle->ctx = ctx;
278
264#ifdef SSL_OP_NO_RENEGOTIATION
265 /* Renegration is not currently supported. */
266 SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
267#endif
268
269#ifdef SSL_OP_NO_COMPRESSION
270 /*
271 * Disable gzip compression in OpenSSL 1.0.0,

--- 10 unchanged lines hidden (view full) ---

282 * this saves about 34K per idle connection. It is not safe
283 * before OpenSSL 1.0.1h (CVE-2010-5298).
284 */
285 SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
286 }
287
288#endif
289
279#ifdef SSL_OP_NO_RENEGOTIATION
280 /* Renegration is not currently supported. */
281 SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
282#endif
283
284#ifdef SSL_OP_NO_COMPRESSION
285 /*
286 * Disable gzip compression in OpenSSL 1.0.0,

--- 10 unchanged lines hidden (view full) ---

297 * this saves about 34K per idle connection. It is not safe
298 * before OpenSSL 1.0.1h (CVE-2010-5298).
299 */
300 SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
301 }
302
303#endif
304
290 fd = conf->chain_file;
291
292 if (nxt_openssl_chain_file(ctx, fd) != NXT_OK) {
293 nxt_openssl_log_error(task, NXT_LOG_ALERT,
294 "nxt_openssl_chain_file() failed");
305 if (nxt_openssl_chain_file(task, ctx, conf, mp,
306 last && bundle->next == NULL)
307 != NXT_OK)
308 {
295 goto fail;
296 }
297/*
298 key = conf->certificate_key;
299
300 if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) == 0) {
301 nxt_openssl_log_error(task, NXT_LOG_ALERT,
302 "SSL_CTX_use_PrivateKey_file(\"%s\") failed",

--- 42 unchanged lines hidden (view full) ---

345 * SSL_load_client_CA_file() in OpenSSL prior to 0.9.7h and
346 * 0.9.8 versions always leaves an error in the error queue.
347 */
348 ERR_clear_error();
349
350 SSL_CTX_set_client_CA_list(ctx, list);
351 }
352
309 goto fail;
310 }
311/*
312 key = conf->certificate_key;
313
314 if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) == 0) {
315 nxt_openssl_log_error(task, NXT_LOG_ALERT,
316 "SSL_CTX_use_PrivateKey_file(\"%s\") failed",

--- 42 unchanged lines hidden (view full) ---

359 * SSL_load_client_CA_file() in OpenSSL prior to 0.9.7h and
360 * 0.9.8 versions always leaves an error in the error queue.
361 */
362 ERR_clear_error();
363
364 SSL_CTX_set_client_CA_list(ctx, list);
365 }
366
367 if (last) {
368 conf->conn_init = nxt_openssl_conn_init;
369
370 if (bundle->next != NULL) {
371 SSL_CTX_set_tlsext_servername_callback(ctx, nxt_openssl_servername);
372 }
373 }
374
353 return NXT_OK;
354
355fail:
356
357 SSL_CTX_free(ctx);
358
359#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \
360 && OPENSSL_VERSION_NUMBER < 0x1010101fL)
361 RAND_keep_random_devices_open(0);
362#endif
363
364 return NXT_ERROR;
365}
366
367
368static nxt_int_t
375 return NXT_OK;
376
377fail:
378
379 SSL_CTX_free(ctx);
380
381#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \
382 && OPENSSL_VERSION_NUMBER < 0x1010101fL)
383 RAND_keep_random_devices_open(0);
384#endif
385
386 return NXT_ERROR;
387}
388
389
390static nxt_int_t
369nxt_openssl_chain_file(SSL_CTX *ctx, nxt_fd_t fd)
391nxt_openssl_chain_file(nxt_task_t *task, SSL_CTX *ctx, nxt_tls_conf_t *conf,
392 nxt_mp_t *mp, nxt_bool_t single)
370{
393{
371 BIO *bio;
372 X509 *cert, *ca;
373 long reason;
374 EVP_PKEY *key;
375 nxt_int_t ret;
394 BIO *bio;
395 X509 *cert, *ca;
396 long reason;
397 EVP_PKEY *key;
398 nxt_int_t ret;
399 nxt_tls_bundle_conf_t *bundle;
376
400
401 ret = NXT_ERROR;
402 cert = NULL;
403
377 bio = BIO_new(BIO_s_fd());
378 if (bio == NULL) {
404 bio = BIO_new(BIO_s_fd());
405 if (bio == NULL) {
379 return NXT_ERROR;
406 goto end;
380 }
381
407 }
408
382 BIO_set_fd(bio, fd, BIO_CLOSE);
409 bundle = conf->bundle;
383
410
384 ret = NXT_ERROR;
411 BIO_set_fd(bio, bundle->chain_file, BIO_CLOSE);
385
386 cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
387 if (cert == NULL) {
388 goto end;
389 }
390
391 if (SSL_CTX_use_certificate(ctx, cert) != 1) {
392 goto end;
393 }
394
412
413 cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
414 if (cert == NULL) {
415 goto end;
416 }
417
418 if (SSL_CTX_use_certificate(ctx, cert) != 1) {
419 goto end;
420 }
421
422 if (!single && nxt_openssl_cert_get_names(task, cert, conf, mp) != NXT_OK) {
423 goto clean;
424 }
425
395 for ( ;; ) {
396 ca = PEM_read_bio_X509(bio, NULL, NULL, NULL);
397
398 if (ca == NULL) {
399 reason = ERR_GET_REASON(ERR_peek_last_error());
400 if (reason != PEM_R_NO_START_LINE) {
401 goto end;
402 }

--- 29 unchanged lines hidden (view full) ---

432 if (SSL_CTX_use_PrivateKey(ctx, key) == 1) {
433 ret = NXT_OK;
434 }
435
436 EVP_PKEY_free(key);
437
438end:
439
426 for ( ;; ) {
427 ca = PEM_read_bio_X509(bio, NULL, NULL, NULL);
428
429 if (ca == NULL) {
430 reason = ERR_GET_REASON(ERR_peek_last_error());
431 if (reason != PEM_R_NO_START_LINE) {
432 goto end;
433 }

--- 29 unchanged lines hidden (view full) ---

463 if (SSL_CTX_use_PrivateKey(ctx, key) == 1) {
464 ret = NXT_OK;
465 }
466
467 EVP_PKEY_free(key);
468
469end:
470
440 X509_free(cert);
471 if (ret != NXT_OK) {
472 nxt_openssl_log_error(task, NXT_LOG_ALERT,
473 "nxt_openssl_chain_file() failed");
474 }
475
476clean:
477
441 BIO_free(bio);
478 BIO_free(bio);
479 X509_free(cert);
442
443 return ret;
444}
445
446
480
481 return ret;
482}
483
484
485static nxt_uint_t
486nxt_openssl_cert_get_names(nxt_task_t *task, X509 *cert, nxt_tls_conf_t *conf,
487 nxt_mp_t *mp)
488{
489 int len;
490 nxt_str_t domain, str;
491 X509_NAME *x509_name;
492 nxt_uint_t i, n;
493 GENERAL_NAME *name;
494 nxt_tls_bundle_conf_t *bundle;
495 STACK_OF(GENERAL_NAME) *alt_names;
496 nxt_tls_bundle_hash_item_t *item;
497
498 bundle = conf->bundle;
499
500 alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
501
502 if (alt_names != NULL) {
503 n = sk_GENERAL_NAME_num(alt_names);
504
505 for (i = 0; i != n; i++) {
506 name = sk_GENERAL_NAME_value(alt_names, i);
507
508 if (name->type != GEN_DNS) {
509 continue;
510 }
511
512 str.length = ASN1_STRING_length(name->d.dNSName);
513#if OPENSSL_VERSION_NUMBER > 0x10100000L
514 str.start = (u_char *) ASN1_STRING_get0_data(name->d.dNSName);
515#else
516 str.start = ASN1_STRING_data(name->d.dNSName);
517#endif
518
519 domain.start = nxt_mp_nget(mp, str.length);
520 if (nxt_slow_path(domain.start == NULL)) {
521 goto fail;
522 }
523
524 domain.length = str.length;
525 nxt_memcpy_lowcase(domain.start, str.start, str.length);
526
527 item = nxt_mp_get(mp, sizeof(nxt_tls_bundle_hash_item_t));
528 if (nxt_slow_path(item == NULL)) {
529 goto fail;
530 }
531
532 item->name = domain;
533 item->bundle = bundle;
534
535 if (nxt_openssl_bundle_hash_insert(task, &conf->bundle_hash,
536 item, mp)
537 == NXT_ERROR)
538 {
539 goto fail;
540 }
541 }
542
543 sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free);
544
545 } else {
546 x509_name = X509_get_subject_name(cert);
547 len = X509_NAME_get_text_by_NID(x509_name, NID_commonName,
548 NULL, 0);
549 if (len <= 0) {
550 nxt_log(task, NXT_LOG_WARN, "certificate \"%V\" has neither "
551 "Subject Alternative Name nor Common Name", bundle->name);
552 return NXT_OK;
553 }
554
555 domain.start = nxt_mp_nget(mp, len + 1);
556 if (nxt_slow_path(domain.start == NULL)) {
557 return NXT_ERROR;
558 }
559
560 domain.length = X509_NAME_get_text_by_NID(x509_name, NID_commonName,
561 (char *) domain.start,
562 len + 1);
563 nxt_memcpy_lowcase(domain.start, domain.start, domain.length);
564
565 item = nxt_mp_get(mp, sizeof(nxt_tls_bundle_hash_item_t));
566 if (nxt_slow_path(item == NULL)) {
567 return NXT_ERROR;
568 }
569
570 item->name = domain;
571 item->bundle = bundle;
572
573 if (nxt_openssl_bundle_hash_insert(task, &conf->bundle_hash, item,
574 mp)
575 == NXT_ERROR)
576 {
577 return NXT_ERROR;
578 }
579 }
580
581 return NXT_OK;
582
583fail:
584
585 sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free);
586
587 return NXT_ERROR;
588}
589
590
591static const nxt_lvlhsh_proto_t nxt_openssl_bundle_hash_proto
592 nxt_aligned(64) =
593{
594 NXT_LVLHSH_DEFAULT,
595 nxt_openssl_bundle_hash_test,
596 nxt_mp_lvlhsh_alloc,
597 nxt_mp_lvlhsh_free,
598};
599
600
601static nxt_int_t
602nxt_openssl_bundle_hash_test(nxt_lvlhsh_query_t *lhq, void *data)
603{
604 nxt_tls_bundle_hash_item_t *item;
605
606 item = data;
607
608 return nxt_strstr_eq(&lhq->key, &item->name) ? NXT_OK : NXT_DECLINED;
609}
610
611
612static nxt_int_t
613nxt_openssl_bundle_hash_insert(nxt_task_t *task, nxt_lvlhsh_t *lvlhsh,
614 nxt_tls_bundle_hash_item_t *item, nxt_mp_t *mp)
615{
616 nxt_str_t str;
617 nxt_int_t ret;
618 nxt_lvlhsh_query_t lhq;
619 nxt_tls_bundle_hash_item_t *old;
620
621 str = item->name;
622
623 if (item->name.start[0] == '*') {
624 item->name.start++;
625 item->name.length--;
626
627 if (item->name.length == 0 || item->name.start[0] != '.') {
628 nxt_log(task, NXT_LOG_WARN, "ignored invalid name \"%V\" "
629 "in certificate \"%V\": missing \".\" "
630 "after wildcard symbol", &str, item->bundle->name);
631 return NXT_OK;
632 }
633 }
634
635 lhq.pool = mp;
636 lhq.key = item->name;
637 lhq.value = item;
638 lhq.proto = &nxt_openssl_bundle_hash_proto;
639 lhq.replace = 0;
640 lhq.key_hash = nxt_murmur_hash2(item->name.start, item->name.length);
641
642 ret = nxt_lvlhsh_insert(lvlhsh, &lhq);
643 if (nxt_fast_path(ret == NXT_OK)) {
644 nxt_debug(task, "name \"%V\" for certificate \"%V\" is inserted",
645 &str, item->bundle->name);
646 return NXT_OK;
647 }
648
649 if (nxt_fast_path(ret == NXT_DECLINED)) {
650 old = lhq.value;
651 if (old->bundle != item->bundle) {
652 nxt_log(task, NXT_LOG_WARN, "ignored duplicate name \"%V\" "
653 "in certificate \"%V\", identical name appears in \"%V\"",
654 &str, old->bundle->name, item->bundle->name);
655
656 old->bundle = item->bundle;
657 }
658
659 return NXT_OK;
660 }
661
662 return NXT_ERROR;
663}
664
665
666static nxt_int_t
667nxt_openssl_servername(SSL *s, int *ad, void *arg)
668{
669 nxt_str_t str;
670 nxt_uint_t i;
671 nxt_conn_t *c;
672 const char *servername;
673 nxt_tls_conf_t *conf;
674 nxt_openssl_conn_t *tls;
675 nxt_tls_bundle_conf_t *bundle;
676
677 c = SSL_get_ex_data(s, nxt_openssl_connection_index);
678
679 if (nxt_slow_path(c == NULL)) {
680 nxt_thread_log_alert("SSL_get_ex_data() failed");
681 return SSL_TLSEXT_ERR_ALERT_FATAL;
682 }
683
684 servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
685 if (nxt_slow_path(servername == NULL)) {
686 nxt_log(c->socket.task, NXT_LOG_ALERT, "SSL_get_servername() returned "
687 "NULL in server name callback");
688 return SSL_TLSEXT_ERR_ALERT_FATAL;
689 }
690
691 str.length = nxt_strlen(servername);
692 if (str.length == 0) {
693 nxt_debug(c->socket.task, "client sent zero-length server name");
694 goto done;
695 }
696
697 if (servername[0] == '.') {
698 nxt_debug(c->socket.task, "ignored the server name \"%s\": "
699 "leading \".\"", servername);
700 goto done;
701 }
702
703 nxt_debug(c->socket.task, "tls with servername \"%s\"", servername);
704
705 str.start = nxt_mp_nget(c->mem_pool, str.length);
706 if (nxt_slow_path(str.start == NULL)) {
707 return SSL_TLSEXT_ERR_ALERT_FATAL;
708 }
709
710 nxt_memcpy_lowcase(str.start, (const u_char *) servername, str.length);
711
712 tls = c->u.tls;
713 conf = tls->conf;
714
715 bundle = nxt_openssl_find_ctx(conf, &str);
716
717 if (bundle == NULL) {
718 for (i = 1; i < str.length; i++) {
719 if (str.start[i] == '.') {
720 str.start += i;
721 str.length -= i;
722
723 bundle = nxt_openssl_find_ctx(conf, &str);
724 break;
725 }
726 }
727 }
728
729 if (bundle != NULL) {
730 nxt_debug(c->socket.task, "new tls context found for \"%V\": \"%V\" "
731 "(old: \"%V\")", &str, bundle->name,
732 conf->bundle->name);
733
734 if (bundle != conf->bundle) {
735 if (SSL_set_SSL_CTX(s, bundle->ctx) == NULL) {
736 nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT,
737 "SSL_set_SSL_CTX() failed");
738
739 return SSL_TLSEXT_ERR_ALERT_FATAL;
740 }
741 }
742 }
743
744done:
745
746 return SSL_TLSEXT_ERR_OK;
747}
748
749
750static nxt_tls_bundle_conf_t *
751nxt_openssl_find_ctx(nxt_tls_conf_t *conf, nxt_str_t *sn)
752{
753 nxt_int_t ret;
754 nxt_lvlhsh_query_t lhq;
755 nxt_tls_bundle_hash_item_t *item;
756
757 lhq.key_hash = nxt_murmur_hash2(sn->start, sn->length);
758 lhq.key = *sn;
759 lhq.proto = &nxt_openssl_bundle_hash_proto;
760
761 ret = nxt_lvlhsh_find(&conf->bundle_hash, &lhq);
762 if (ret != NXT_OK) {
763 return NULL;
764 }
765
766 item = lhq.value;
767
768 return item->bundle;
769}
770
771
447static void
448nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf)
449{
772static void
773nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf)
774{
450 SSL_CTX_free(conf->ctx);
775 nxt_tls_bundle_conf_t *bundle;
451
776
777 bundle = conf->bundle;
778 nxt_assert(bundle != NULL);
779
780 do {
781 SSL_CTX_free(bundle->ctx);
782 bundle = bundle->next;
783 } while (bundle != NULL);
784
452#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \
453 && OPENSSL_VERSION_NUMBER < 0x1010101fL)
454 RAND_keep_random_devices_open(0);
455#endif
456}
457
458
459static void

--- 9 unchanged lines hidden (view full) ---

469 tls = nxt_mp_zget(c->mem_pool, sizeof(nxt_openssl_conn_t));
470 if (tls == NULL) {
471 goto fail;
472 }
473
474 c->u.tls = tls;
475 nxt_buf_mem_set_size(&tls->buffer, conf->buffer_size);
476
785#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \
786 && OPENSSL_VERSION_NUMBER < 0x1010101fL)
787 RAND_keep_random_devices_open(0);
788#endif
789}
790
791
792static void

--- 9 unchanged lines hidden (view full) ---

802 tls = nxt_mp_zget(c->mem_pool, sizeof(nxt_openssl_conn_t));
803 if (tls == NULL) {
804 goto fail;
805 }
806
807 c->u.tls = tls;
808 nxt_buf_mem_set_size(&tls->buffer, conf->buffer_size);
809
477 ctx = conf->ctx;
810 ctx = conf->bundle->ctx;
478
479 s = SSL_new(ctx);
480 if (s == NULL) {
481 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_new() failed");
482 goto fail;
483 }
484
485 tls->session = s;
811
812 s = SSL_new(ctx);
813 if (s == NULL) {
814 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_new() failed");
815 goto fail;
816 }
817
818 tls->session = s;
819 /* To pass TLS config to the nxt_openssl_servername() callback. */
820 tls->conf = conf;
486 tls->conn = c;
487
488 ret = SSL_set_fd(s, c->socket.fd);
489
490 if (ret == 0) {
491 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_fd(%d) failed",
492 c->socket.fd);
493 goto fail;

--- 5 unchanged lines hidden (view full) ---

499 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_ex_data() failed");
500 goto fail;
501 }
502
503 c->io = &nxt_openssl_conn_io;
504 c->sendfile = NXT_CONN_SENDFILE_OFF;
505
506 nxt_openssl_conn_handshake(task, c, c->socket.data);
821 tls->conn = c;
822
823 ret = SSL_set_fd(s, c->socket.fd);
824
825 if (ret == 0) {
826 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_fd(%d) failed",
827 c->socket.fd);
828 goto fail;

--- 5 unchanged lines hidden (view full) ---

834 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_ex_data() failed");
835 goto fail;
836 }
837
838 c->io = &nxt_openssl_conn_io;
839 c->sendfile = NXT_CONN_SENDFILE_OFF;
840
841 nxt_openssl_conn_handshake(task, c, c->socket.data);
842 /*
843 * TLS configuration might be destroyed after the TLS connection
844 * is established.
845 */
846 tls->conf = NULL;
507 return;
508
509fail:
510
511 nxt_work_queue_add(c->read_work_queue, c->read_state->error_handler,
512 task, c, c->socket.data);
513}
514

--- 573 unchanged lines hidden ---
847 return;
848
849fail:
850
851 nxt_work_queue_add(c->read_work_queue, c->read_state->error_handler,
852 task, c, c->socket.data);
853}
854

--- 573 unchanged lines hidden ---