Deleted
Added
nxt_openssl.c (1818:fa6569d00fe4) | nxt_openssl.c (1828:c548e46fe516) |
---|---|
1 2/* 3 * Copyright (C) Igor Sysoev 4 * Copyright (C) NGINX, Inc. 5 */ 6 7#include <nxt_main.h> 8#include <openssl/ssl.h> 9#include <openssl/conf.h> 10#include <openssl/err.h> 11#include <openssl/rand.h> | 1 2/* 3 * Copyright (C) Igor Sysoev 4 * Copyright (C) NGINX, Inc. 5 */ 6 7#include <nxt_main.h> 8#include <openssl/ssl.h> 9#include <openssl/conf.h> 10#include <openssl/err.h> 11#include <openssl/rand.h> |
12#include <openssl/x509v3.h> |
|
12 13 14typedef struct { | 13 14 15typedef struct { |
15 SSL *session; 16 nxt_conn_t *conn; | 16 SSL *session; 17 nxt_conn_t *conn; |
17 | 18 |
18 int ssl_error; 19 uint8_t times; /* 2 bits */ 20 uint8_t handshake; /* 1 bit */ | 19 int ssl_error; 20 uint8_t times; /* 2 bits */ 21 uint8_t handshake; /* 1 bit */ |
21 | 22 |
22 nxt_buf_mem_t buffer; | 23 nxt_tls_conf_t *conf; 24 nxt_buf_mem_t buffer; |
23} nxt_openssl_conn_t; 24 25 26typedef enum { 27 NXT_OPENSSL_HANDSHAKE = 0, 28 NXT_OPENSSL_READ, 29 NXT_OPENSSL_WRITE, 30 NXT_OPENSSL_SHUTDOWN, --- 4 unchanged lines hidden (view full) --- 35static void nxt_openssl_library_free(nxt_task_t *task); 36#if OPENSSL_VERSION_NUMBER < 0x10100004L 37static nxt_int_t nxt_openssl_locks_init(void); 38static void nxt_openssl_lock(int mode, int type, const char *file, int line); 39static unsigned long nxt_openssl_thread_id(void); 40static void nxt_openssl_locks_free(void); 41#endif 42static nxt_int_t nxt_openssl_server_init(nxt_task_t *task, | 25} nxt_openssl_conn_t; 26 27 28typedef enum { 29 NXT_OPENSSL_HANDSHAKE = 0, 30 NXT_OPENSSL_READ, 31 NXT_OPENSSL_WRITE, 32 NXT_OPENSSL_SHUTDOWN, --- 4 unchanged lines hidden (view full) --- 37static void nxt_openssl_library_free(nxt_task_t *task); 38#if OPENSSL_VERSION_NUMBER < 0x10100004L 39static nxt_int_t nxt_openssl_locks_init(void); 40static void nxt_openssl_lock(int mode, int type, const char *file, int line); 41static unsigned long nxt_openssl_thread_id(void); 42static void nxt_openssl_locks_free(void); 43#endif 44static nxt_int_t nxt_openssl_server_init(nxt_task_t *task, |
43 nxt_tls_conf_t *conf); 44static nxt_int_t nxt_openssl_chain_file(SSL_CTX *ctx, nxt_fd_t fd); | 45 nxt_tls_conf_t *conf, nxt_mp_t *mp, nxt_bool_t last); 46static nxt_int_t nxt_openssl_chain_file(nxt_task_t *task, SSL_CTX *ctx, 47 nxt_tls_conf_t *conf, nxt_mp_t *mp, nxt_bool_t single); 48static nxt_uint_t nxt_openssl_cert_get_names(nxt_task_t *task, X509 *cert, 49 nxt_tls_conf_t *conf, nxt_mp_t *mp); 50static nxt_int_t nxt_openssl_bundle_hash_test(nxt_lvlhsh_query_t *lhq, 51 void *data); 52static nxt_int_t nxt_openssl_bundle_hash_insert(nxt_task_t *task, 53 nxt_lvlhsh_t *lvlhsh, nxt_tls_bundle_hash_item_t *item, nxt_mp_t * mp); 54static nxt_int_t nxt_openssl_servername(SSL *s, int *ad, void *arg); 55static nxt_tls_bundle_conf_t *nxt_openssl_find_ctx(nxt_tls_conf_t *conf, 56 nxt_str_t *sn); |
45static void nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf); 46static void nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf, 47 nxt_conn_t *c); 48static void nxt_openssl_conn_handshake(nxt_task_t *task, void *obj, void *data); 49static ssize_t nxt_openssl_conn_io_recvbuf(nxt_conn_t *c, nxt_buf_t *b); 50static ssize_t nxt_openssl_conn_io_sendbuf(nxt_task_t *task, nxt_sendbuf_t *sb); 51static ssize_t nxt_openssl_conn_io_send(nxt_task_t *task, nxt_sendbuf_t *sb, 52 void *buf, size_t size); --- 187 unchanged lines hidden (view full) --- 240 241 OPENSSL_free(nxt_openssl_locks); 242} 243 244#endif 245 246 247static nxt_int_t | 57static void nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf); 58static void nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf, 59 nxt_conn_t *c); 60static void nxt_openssl_conn_handshake(nxt_task_t *task, void *obj, void *data); 61static ssize_t nxt_openssl_conn_io_recvbuf(nxt_conn_t *c, nxt_buf_t *b); 62static ssize_t nxt_openssl_conn_io_sendbuf(nxt_task_t *task, nxt_sendbuf_t *sb); 63static ssize_t nxt_openssl_conn_io_send(nxt_task_t *task, nxt_sendbuf_t *sb, 64 void *buf, size_t size); --- 187 unchanged lines hidden (view full) --- 252 253 OPENSSL_free(nxt_openssl_locks); 254} 255 256#endif 257 258 259static nxt_int_t |
248nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf) | 260nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf, 261 nxt_mp_t *mp, nxt_bool_t last) |
249{ | 262{ |
250 SSL_CTX *ctx; 251 nxt_fd_t fd; 252 const char *ciphers, *ca_certificate; 253 STACK_OF(X509_NAME) *list; | 263 SSL_CTX *ctx; 264 const char *ciphers, *ca_certificate; 265 STACK_OF(X509_NAME) *list; 266 nxt_tls_bundle_conf_t *bundle; |
254 255 ctx = SSL_CTX_new(SSLv23_server_method()); 256 if (ctx == NULL) { 257 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_CTX_new() failed"); 258 return NXT_ERROR; 259 } 260 | 267 268 ctx = SSL_CTX_new(SSLv23_server_method()); 269 if (ctx == NULL) { 270 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_CTX_new() failed"); 271 return NXT_ERROR; 272 } 273 |
261 conf->ctx = ctx; 262 conf->conn_init = nxt_openssl_conn_init; | 274 bundle = conf->bundle; 275 nxt_assert(bundle != NULL); |
263 | 276 |
277 bundle->ctx = ctx; 278 |
|
264#ifdef SSL_OP_NO_RENEGOTIATION 265 /* Renegration is not currently supported. */ 266 SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION); 267#endif 268 269#ifdef SSL_OP_NO_COMPRESSION 270 /* 271 * Disable gzip compression in OpenSSL 1.0.0, --- 10 unchanged lines hidden (view full) --- 282 * this saves about 34K per idle connection. It is not safe 283 * before OpenSSL 1.0.1h (CVE-2010-5298). 284 */ 285 SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); 286 } 287 288#endif 289 | 279#ifdef SSL_OP_NO_RENEGOTIATION 280 /* Renegration is not currently supported. */ 281 SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION); 282#endif 283 284#ifdef SSL_OP_NO_COMPRESSION 285 /* 286 * Disable gzip compression in OpenSSL 1.0.0, --- 10 unchanged lines hidden (view full) --- 297 * this saves about 34K per idle connection. It is not safe 298 * before OpenSSL 1.0.1h (CVE-2010-5298). 299 */ 300 SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); 301 } 302 303#endif 304 |
290 fd = conf->chain_file; 291 292 if (nxt_openssl_chain_file(ctx, fd) != NXT_OK) { 293 nxt_openssl_log_error(task, NXT_LOG_ALERT, 294 "nxt_openssl_chain_file() failed"); | 305 if (nxt_openssl_chain_file(task, ctx, conf, mp, 306 last && bundle->next == NULL) 307 != NXT_OK) 308 { |
295 goto fail; 296 } 297/* 298 key = conf->certificate_key; 299 300 if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) == 0) { 301 nxt_openssl_log_error(task, NXT_LOG_ALERT, 302 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", --- 42 unchanged lines hidden (view full) --- 345 * SSL_load_client_CA_file() in OpenSSL prior to 0.9.7h and 346 * 0.9.8 versions always leaves an error in the error queue. 347 */ 348 ERR_clear_error(); 349 350 SSL_CTX_set_client_CA_list(ctx, list); 351 } 352 | 309 goto fail; 310 } 311/* 312 key = conf->certificate_key; 313 314 if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) == 0) { 315 nxt_openssl_log_error(task, NXT_LOG_ALERT, 316 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", --- 42 unchanged lines hidden (view full) --- 359 * SSL_load_client_CA_file() in OpenSSL prior to 0.9.7h and 360 * 0.9.8 versions always leaves an error in the error queue. 361 */ 362 ERR_clear_error(); 363 364 SSL_CTX_set_client_CA_list(ctx, list); 365 } 366 |
367 if (last) { 368 conf->conn_init = nxt_openssl_conn_init; 369 370 if (bundle->next != NULL) { 371 SSL_CTX_set_tlsext_servername_callback(ctx, nxt_openssl_servername); 372 } 373 } 374 |
|
353 return NXT_OK; 354 355fail: 356 357 SSL_CTX_free(ctx); 358 359#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \ 360 && OPENSSL_VERSION_NUMBER < 0x1010101fL) 361 RAND_keep_random_devices_open(0); 362#endif 363 364 return NXT_ERROR; 365} 366 367 368static nxt_int_t | 375 return NXT_OK; 376 377fail: 378 379 SSL_CTX_free(ctx); 380 381#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \ 382 && OPENSSL_VERSION_NUMBER < 0x1010101fL) 383 RAND_keep_random_devices_open(0); 384#endif 385 386 return NXT_ERROR; 387} 388 389 390static nxt_int_t |
369nxt_openssl_chain_file(SSL_CTX *ctx, nxt_fd_t fd) | 391nxt_openssl_chain_file(nxt_task_t *task, SSL_CTX *ctx, nxt_tls_conf_t *conf, 392 nxt_mp_t *mp, nxt_bool_t single) |
370{ | 393{ |
371 BIO *bio; 372 X509 *cert, *ca; 373 long reason; 374 EVP_PKEY *key; 375 nxt_int_t ret; | 394 BIO *bio; 395 X509 *cert, *ca; 396 long reason; 397 EVP_PKEY *key; 398 nxt_int_t ret; 399 nxt_tls_bundle_conf_t *bundle; |
376 | 400 |
401 ret = NXT_ERROR; 402 cert = NULL; 403 |
|
377 bio = BIO_new(BIO_s_fd()); 378 if (bio == NULL) { | 404 bio = BIO_new(BIO_s_fd()); 405 if (bio == NULL) { |
379 return NXT_ERROR; | 406 goto end; |
380 } 381 | 407 } 408 |
382 BIO_set_fd(bio, fd, BIO_CLOSE); | 409 bundle = conf->bundle; |
383 | 410 |
384 ret = NXT_ERROR; | 411 BIO_set_fd(bio, bundle->chain_file, BIO_CLOSE); |
385 386 cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); 387 if (cert == NULL) { 388 goto end; 389 } 390 391 if (SSL_CTX_use_certificate(ctx, cert) != 1) { 392 goto end; 393 } 394 | 412 413 cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); 414 if (cert == NULL) { 415 goto end; 416 } 417 418 if (SSL_CTX_use_certificate(ctx, cert) != 1) { 419 goto end; 420 } 421 |
422 if (!single && nxt_openssl_cert_get_names(task, cert, conf, mp) != NXT_OK) { 423 goto clean; 424 } 425 |
|
395 for ( ;; ) { 396 ca = PEM_read_bio_X509(bio, NULL, NULL, NULL); 397 398 if (ca == NULL) { 399 reason = ERR_GET_REASON(ERR_peek_last_error()); 400 if (reason != PEM_R_NO_START_LINE) { 401 goto end; 402 } --- 29 unchanged lines hidden (view full) --- 432 if (SSL_CTX_use_PrivateKey(ctx, key) == 1) { 433 ret = NXT_OK; 434 } 435 436 EVP_PKEY_free(key); 437 438end: 439 | 426 for ( ;; ) { 427 ca = PEM_read_bio_X509(bio, NULL, NULL, NULL); 428 429 if (ca == NULL) { 430 reason = ERR_GET_REASON(ERR_peek_last_error()); 431 if (reason != PEM_R_NO_START_LINE) { 432 goto end; 433 } --- 29 unchanged lines hidden (view full) --- 463 if (SSL_CTX_use_PrivateKey(ctx, key) == 1) { 464 ret = NXT_OK; 465 } 466 467 EVP_PKEY_free(key); 468 469end: 470 |
440 X509_free(cert); | 471 if (ret != NXT_OK) { 472 nxt_openssl_log_error(task, NXT_LOG_ALERT, 473 "nxt_openssl_chain_file() failed"); 474 } 475 476clean: 477 |
441 BIO_free(bio); | 478 BIO_free(bio); |
479 X509_free(cert); |
|
442 443 return ret; 444} 445 446 | 480 481 return ret; 482} 483 484 |
485static nxt_uint_t 486nxt_openssl_cert_get_names(nxt_task_t *task, X509 *cert, nxt_tls_conf_t *conf, 487 nxt_mp_t *mp) 488{ 489 int len; 490 nxt_str_t domain, str; 491 X509_NAME *x509_name; 492 nxt_uint_t i, n; 493 GENERAL_NAME *name; 494 nxt_tls_bundle_conf_t *bundle; 495 STACK_OF(GENERAL_NAME) *alt_names; 496 nxt_tls_bundle_hash_item_t *item; 497 498 bundle = conf->bundle; 499 500 alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); 501 502 if (alt_names != NULL) { 503 n = sk_GENERAL_NAME_num(alt_names); 504 505 for (i = 0; i != n; i++) { 506 name = sk_GENERAL_NAME_value(alt_names, i); 507 508 if (name->type != GEN_DNS) { 509 continue; 510 } 511 512 str.length = ASN1_STRING_length(name->d.dNSName); 513#if OPENSSL_VERSION_NUMBER > 0x10100000L 514 str.start = (u_char *) ASN1_STRING_get0_data(name->d.dNSName); 515#else 516 str.start = ASN1_STRING_data(name->d.dNSName); 517#endif 518 519 domain.start = nxt_mp_nget(mp, str.length); 520 if (nxt_slow_path(domain.start == NULL)) { 521 goto fail; 522 } 523 524 domain.length = str.length; 525 nxt_memcpy_lowcase(domain.start, str.start, str.length); 526 527 item = nxt_mp_get(mp, sizeof(nxt_tls_bundle_hash_item_t)); 528 if (nxt_slow_path(item == NULL)) { 529 goto fail; 530 } 531 532 item->name = domain; 533 item->bundle = bundle; 534 535 if (nxt_openssl_bundle_hash_insert(task, &conf->bundle_hash, 536 item, mp) 537 == NXT_ERROR) 538 { 539 goto fail; 540 } 541 } 542 543 sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free); 544 545 } else { 546 x509_name = X509_get_subject_name(cert); 547 len = X509_NAME_get_text_by_NID(x509_name, NID_commonName, 548 NULL, 0); 549 if (len <= 0) { 550 nxt_log(task, NXT_LOG_WARN, "certificate \"%V\" has neither " 551 "Subject Alternative Name nor Common Name", bundle->name); 552 return NXT_OK; 553 } 554 555 domain.start = nxt_mp_nget(mp, len + 1); 556 if (nxt_slow_path(domain.start == NULL)) { 557 return NXT_ERROR; 558 } 559 560 domain.length = X509_NAME_get_text_by_NID(x509_name, NID_commonName, 561 (char *) domain.start, 562 len + 1); 563 nxt_memcpy_lowcase(domain.start, domain.start, domain.length); 564 565 item = nxt_mp_get(mp, sizeof(nxt_tls_bundle_hash_item_t)); 566 if (nxt_slow_path(item == NULL)) { 567 return NXT_ERROR; 568 } 569 570 item->name = domain; 571 item->bundle = bundle; 572 573 if (nxt_openssl_bundle_hash_insert(task, &conf->bundle_hash, item, 574 mp) 575 == NXT_ERROR) 576 { 577 return NXT_ERROR; 578 } 579 } 580 581 return NXT_OK; 582 583fail: 584 585 sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free); 586 587 return NXT_ERROR; 588} 589 590 591static const nxt_lvlhsh_proto_t nxt_openssl_bundle_hash_proto 592 nxt_aligned(64) = 593{ 594 NXT_LVLHSH_DEFAULT, 595 nxt_openssl_bundle_hash_test, 596 nxt_mp_lvlhsh_alloc, 597 nxt_mp_lvlhsh_free, 598}; 599 600 601static nxt_int_t 602nxt_openssl_bundle_hash_test(nxt_lvlhsh_query_t *lhq, void *data) 603{ 604 nxt_tls_bundle_hash_item_t *item; 605 606 item = data; 607 608 return nxt_strstr_eq(&lhq->key, &item->name) ? NXT_OK : NXT_DECLINED; 609} 610 611 612static nxt_int_t 613nxt_openssl_bundle_hash_insert(nxt_task_t *task, nxt_lvlhsh_t *lvlhsh, 614 nxt_tls_bundle_hash_item_t *item, nxt_mp_t *mp) 615{ 616 nxt_str_t str; 617 nxt_int_t ret; 618 nxt_lvlhsh_query_t lhq; 619 nxt_tls_bundle_hash_item_t *old; 620 621 str = item->name; 622 623 if (item->name.start[0] == '*') { 624 item->name.start++; 625 item->name.length--; 626 627 if (item->name.length == 0 || item->name.start[0] != '.') { 628 nxt_log(task, NXT_LOG_WARN, "ignored invalid name \"%V\" " 629 "in certificate \"%V\": missing \".\" " 630 "after wildcard symbol", &str, item->bundle->name); 631 return NXT_OK; 632 } 633 } 634 635 lhq.pool = mp; 636 lhq.key = item->name; 637 lhq.value = item; 638 lhq.proto = &nxt_openssl_bundle_hash_proto; 639 lhq.replace = 0; 640 lhq.key_hash = nxt_murmur_hash2(item->name.start, item->name.length); 641 642 ret = nxt_lvlhsh_insert(lvlhsh, &lhq); 643 if (nxt_fast_path(ret == NXT_OK)) { 644 nxt_debug(task, "name \"%V\" for certificate \"%V\" is inserted", 645 &str, item->bundle->name); 646 return NXT_OK; 647 } 648 649 if (nxt_fast_path(ret == NXT_DECLINED)) { 650 old = lhq.value; 651 if (old->bundle != item->bundle) { 652 nxt_log(task, NXT_LOG_WARN, "ignored duplicate name \"%V\" " 653 "in certificate \"%V\", identical name appears in \"%V\"", 654 &str, old->bundle->name, item->bundle->name); 655 656 old->bundle = item->bundle; 657 } 658 659 return NXT_OK; 660 } 661 662 return NXT_ERROR; 663} 664 665 666static nxt_int_t 667nxt_openssl_servername(SSL *s, int *ad, void *arg) 668{ 669 nxt_str_t str; 670 nxt_uint_t i; 671 nxt_conn_t *c; 672 const char *servername; 673 nxt_tls_conf_t *conf; 674 nxt_openssl_conn_t *tls; 675 nxt_tls_bundle_conf_t *bundle; 676 677 c = SSL_get_ex_data(s, nxt_openssl_connection_index); 678 679 if (nxt_slow_path(c == NULL)) { 680 nxt_thread_log_alert("SSL_get_ex_data() failed"); 681 return SSL_TLSEXT_ERR_ALERT_FATAL; 682 } 683 684 servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 685 if (nxt_slow_path(servername == NULL)) { 686 nxt_log(c->socket.task, NXT_LOG_ALERT, "SSL_get_servername() returned " 687 "NULL in server name callback"); 688 return SSL_TLSEXT_ERR_ALERT_FATAL; 689 } 690 691 str.length = nxt_strlen(servername); 692 if (str.length == 0) { 693 nxt_debug(c->socket.task, "client sent zero-length server name"); 694 goto done; 695 } 696 697 if (servername[0] == '.') { 698 nxt_debug(c->socket.task, "ignored the server name \"%s\": " 699 "leading \".\"", servername); 700 goto done; 701 } 702 703 nxt_debug(c->socket.task, "tls with servername \"%s\"", servername); 704 705 str.start = nxt_mp_nget(c->mem_pool, str.length); 706 if (nxt_slow_path(str.start == NULL)) { 707 return SSL_TLSEXT_ERR_ALERT_FATAL; 708 } 709 710 nxt_memcpy_lowcase(str.start, (const u_char *) servername, str.length); 711 712 tls = c->u.tls; 713 conf = tls->conf; 714 715 bundle = nxt_openssl_find_ctx(conf, &str); 716 717 if (bundle == NULL) { 718 for (i = 1; i < str.length; i++) { 719 if (str.start[i] == '.') { 720 str.start += i; 721 str.length -= i; 722 723 bundle = nxt_openssl_find_ctx(conf, &str); 724 break; 725 } 726 } 727 } 728 729 if (bundle != NULL) { 730 nxt_debug(c->socket.task, "new tls context found for \"%V\": \"%V\" " 731 "(old: \"%V\")", &str, bundle->name, 732 conf->bundle->name); 733 734 if (bundle != conf->bundle) { 735 if (SSL_set_SSL_CTX(s, bundle->ctx) == NULL) { 736 nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT, 737 "SSL_set_SSL_CTX() failed"); 738 739 return SSL_TLSEXT_ERR_ALERT_FATAL; 740 } 741 } 742 } 743 744done: 745 746 return SSL_TLSEXT_ERR_OK; 747} 748 749 750static nxt_tls_bundle_conf_t * 751nxt_openssl_find_ctx(nxt_tls_conf_t *conf, nxt_str_t *sn) 752{ 753 nxt_int_t ret; 754 nxt_lvlhsh_query_t lhq; 755 nxt_tls_bundle_hash_item_t *item; 756 757 lhq.key_hash = nxt_murmur_hash2(sn->start, sn->length); 758 lhq.key = *sn; 759 lhq.proto = &nxt_openssl_bundle_hash_proto; 760 761 ret = nxt_lvlhsh_find(&conf->bundle_hash, &lhq); 762 if (ret != NXT_OK) { 763 return NULL; 764 } 765 766 item = lhq.value; 767 768 return item->bundle; 769} 770 771 |
|
447static void 448nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf) 449{ | 772static void 773nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf) 774{ |
450 SSL_CTX_free(conf->ctx); | 775 nxt_tls_bundle_conf_t *bundle; |
451 | 776 |
777 bundle = conf->bundle; 778 nxt_assert(bundle != NULL); 779 780 do { 781 SSL_CTX_free(bundle->ctx); 782 bundle = bundle->next; 783 } while (bundle != NULL); 784 |
|
452#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \ 453 && OPENSSL_VERSION_NUMBER < 0x1010101fL) 454 RAND_keep_random_devices_open(0); 455#endif 456} 457 458 459static void --- 9 unchanged lines hidden (view full) --- 469 tls = nxt_mp_zget(c->mem_pool, sizeof(nxt_openssl_conn_t)); 470 if (tls == NULL) { 471 goto fail; 472 } 473 474 c->u.tls = tls; 475 nxt_buf_mem_set_size(&tls->buffer, conf->buffer_size); 476 | 785#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \ 786 && OPENSSL_VERSION_NUMBER < 0x1010101fL) 787 RAND_keep_random_devices_open(0); 788#endif 789} 790 791 792static void --- 9 unchanged lines hidden (view full) --- 802 tls = nxt_mp_zget(c->mem_pool, sizeof(nxt_openssl_conn_t)); 803 if (tls == NULL) { 804 goto fail; 805 } 806 807 c->u.tls = tls; 808 nxt_buf_mem_set_size(&tls->buffer, conf->buffer_size); 809 |
477 ctx = conf->ctx; | 810 ctx = conf->bundle->ctx; |
478 479 s = SSL_new(ctx); 480 if (s == NULL) { 481 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_new() failed"); 482 goto fail; 483 } 484 485 tls->session = s; | 811 812 s = SSL_new(ctx); 813 if (s == NULL) { 814 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_new() failed"); 815 goto fail; 816 } 817 818 tls->session = s; |
819 /* To pass TLS config to the nxt_openssl_servername() callback. */ 820 tls->conf = conf; |
|
486 tls->conn = c; 487 488 ret = SSL_set_fd(s, c->socket.fd); 489 490 if (ret == 0) { 491 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_fd(%d) failed", 492 c->socket.fd); 493 goto fail; --- 5 unchanged lines hidden (view full) --- 499 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_ex_data() failed"); 500 goto fail; 501 } 502 503 c->io = &nxt_openssl_conn_io; 504 c->sendfile = NXT_CONN_SENDFILE_OFF; 505 506 nxt_openssl_conn_handshake(task, c, c->socket.data); | 821 tls->conn = c; 822 823 ret = SSL_set_fd(s, c->socket.fd); 824 825 if (ret == 0) { 826 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_fd(%d) failed", 827 c->socket.fd); 828 goto fail; --- 5 unchanged lines hidden (view full) --- 834 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_ex_data() failed"); 835 goto fail; 836 } 837 838 c->io = &nxt_openssl_conn_io; 839 c->sendfile = NXT_CONN_SENDFILE_OFF; 840 841 nxt_openssl_conn_handshake(task, c, c->socket.data); |
842 /* 843 * TLS configuration might be destroyed after the TLS connection 844 * is established. 845 */ 846 tls->conf = NULL; |
|
507 return; 508 509fail: 510 511 nxt_work_queue_add(c->read_work_queue, c->read_state->error_handler, 512 task, c, c->socket.data); 513} 514 --- 573 unchanged lines hidden --- | 847 return; 848 849fail: 850 851 nxt_work_queue_add(c->read_work_queue, c->read_state->error_handler, 852 task, c, c->socket.data); 853} 854 --- 573 unchanged lines hidden --- |