1 2 /* 3 * Copyright (C) Igor Sysoev 4 * Copyright (C) NGINX, Inc. 5 */ 6 7 #include <nxt_main.h> 8 #include <openssl/ssl.h> 9 #include <openssl/conf.h> 10 #include <openssl/err.h> 11 12 13 typedef struct { 14 SSL *session; 15 nxt_conn_t *conn; 16 17 int ssl_error; 18 uint8_t times; /* 2 bits */ 19 uint8_t handshake; /* 1 bit */ 20 21 nxt_buf_mem_t buffer; 22 } nxt_openssl_conn_t; 23 24 25 typedef enum { 26 NXT_OPENSSL_HANDSHAKE = 0, 27 NXT_OPENSSL_READ, 28 NXT_OPENSSL_WRITE, 29 NXT_OPENSSL_SHUTDOWN, 30 } nxt_openssl_io_t; 31 32 33 static nxt_int_t nxt_openssl_library_init(nxt_task_t *task); 34 static void nxt_openssl_library_free(nxt_task_t *task); 35 #if OPENSSL_VERSION_NUMBER < 0x10100004L 36 static nxt_int_t nxt_openssl_locks_init(void); 37 static void nxt_openssl_lock(int mode, int type, const char *file, int line); 38 static unsigned long nxt_openssl_thread_id(void); 39 static void nxt_openssl_locks_free(void); 40 #endif 41 static nxt_int_t nxt_openssl_server_init(nxt_task_t *task, 42 nxt_tls_conf_t *conf); 43 static nxt_int_t nxt_openssl_chain_file(SSL_CTX *ctx, nxt_fd_t fd); 44 static void nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf); 45 static void nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf, 46 nxt_conn_t *c); 47 static void nxt_openssl_conn_handshake(nxt_task_t *task, void *obj, void *data); 48 static ssize_t nxt_openssl_conn_io_recvbuf(nxt_conn_t *c, nxt_buf_t *b); 49 static ssize_t nxt_openssl_conn_io_sendbuf(nxt_task_t *task, nxt_sendbuf_t *sb); 50 static ssize_t nxt_openssl_conn_io_send(nxt_task_t *task, nxt_sendbuf_t *sb, 51 void *buf, size_t size); 52 static void nxt_openssl_conn_io_shutdown(nxt_task_t *task, void *obj, 53 void *data); 54 static nxt_int_t nxt_openssl_conn_test_error(nxt_task_t *task, nxt_conn_t *c, 55 int ret, nxt_err_t sys_err, nxt_openssl_io_t io); 56 static void nxt_cdecl nxt_openssl_conn_error(nxt_task_t *task, 57 nxt_err_t err, const char *fmt, ...); 58 static nxt_uint_t nxt_openssl_log_error_level(nxt_err_t err); 59 60 61 const nxt_tls_lib_t nxt_openssl_lib = { 62 .library_init = nxt_openssl_library_init, 63 .library_free = nxt_openssl_library_free, 64 65 .server_init = nxt_openssl_server_init, 66 .server_free = nxt_openssl_server_free, 67 }; 68 69 70 static nxt_conn_io_t nxt_openssl_conn_io = { 71 .read = nxt_conn_io_read, 72 .recvbuf = nxt_openssl_conn_io_recvbuf, 73 74 .write = nxt_conn_io_write, 75 .sendbuf = nxt_openssl_conn_io_sendbuf, 76 77 .shutdown = nxt_openssl_conn_io_shutdown, 78 }; 79 80 81 static long nxt_openssl_version; 82 static int nxt_openssl_connection_index; 83 84 85 static nxt_int_t 86 nxt_openssl_library_init(nxt_task_t *task) 87 { 88 int index; 89 90 if (nxt_fast_path(nxt_openssl_version != 0)) { 91 return NXT_OK; 92 } 93 94 #if OPENSSL_VERSION_NUMBER >= 0x10100003L 95 96 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); 97 98 #else 99 { 100 nxt_int_t ret; 101 102 SSL_load_error_strings(); 103 104 OPENSSL_config(NULL); 105 106 /* 107 * SSL_library_init(3): 108 * 109 * SSL_library_init() always returns "1", 110 * so it is safe to discard the return value. 111 */ 112 (void) SSL_library_init(); 113 114 ret = nxt_openssl_locks_init(); 115 if (nxt_slow_path(ret != NXT_OK)) { 116 return ret; 117 } 118 } 119 120 #endif 121 122 nxt_openssl_version = SSLeay(); 123 124 nxt_log(task, NXT_LOG_INFO, "%s, %xl", 125 SSLeay_version(SSLEAY_VERSION), nxt_openssl_version); 126 127 #ifndef SSL_OP_NO_COMPRESSION 128 { 129 /* 130 * Disable gzip compression in OpenSSL prior to 1.0.0 131 * version, this saves about 522K per connection. 132 */ 133 int n; 134 STACK_OF(SSL_COMP) *ssl_comp_methods; 135 136 ssl_comp_methods = SSL_COMP_get_compression_methods(); 137 138 for (n = sk_SSL_COMP_num(ssl_comp_methods); n != 0; n--) { 139 (void) sk_SSL_COMP_pop(ssl_comp_methods); 140 } 141 } 142 #endif 143 144 index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); 145 146 if (index == -1) { 147 nxt_openssl_log_error(task, NXT_LOG_ALERT, 148 "SSL_get_ex_new_index() failed"); 149 return NXT_ERROR; 150 } 151 152 nxt_openssl_connection_index = index; 153 154 return NXT_OK; 155 } 156 157 158 #if OPENSSL_VERSION_NUMBER >= 0x10100003L 159 160 static void 161 nxt_openssl_library_free(nxt_task_t *task) 162 { 163 } 164 165 #else 166 167 static nxt_thread_mutex_t *nxt_openssl_locks; 168 169 static nxt_int_t 170 nxt_openssl_locks_init(void) 171 { 172 int i, n; 173 nxt_int_t ret; 174 175 n = CRYPTO_num_locks(); 176 177 nxt_openssl_locks = OPENSSL_malloc(n * sizeof(nxt_thread_mutex_t)); 178 if (nxt_slow_path(nxt_openssl_locks == NULL)) { 179 return NXT_ERROR; 180 } 181 182 for (i = 0; i < n; i++) { 183 ret = nxt_thread_mutex_create(&nxt_openssl_locks[i]); 184 if (nxt_slow_path(ret != NXT_OK)) { 185 return ret; 186 } 187 } 188 189 CRYPTO_set_locking_callback(nxt_openssl_lock); 190 191 CRYPTO_set_id_callback(nxt_openssl_thread_id); 192 193 return NXT_OK; 194 } 195 196 197 static void 198 nxt_openssl_lock(int mode, int type, const char *file, int line) 199 { 200 nxt_thread_mutex_t *lock; 201 202 lock = &nxt_openssl_locks[type]; 203 204 if ((mode & CRYPTO_LOCK) != 0) { 205 (void) nxt_thread_mutex_lock(lock); 206 207 } else { 208 (void) nxt_thread_mutex_unlock(lock); 209 } 210 } 211 212 213 static u_long 214 nxt_openssl_thread_id(void) 215 { 216 return (u_long) nxt_thread_handle(); 217 } 218 219 220 static void 221 nxt_openssl_library_free(nxt_task_t *task) 222 { 223 nxt_openssl_locks_free(); 224 } 225 226 227 static void 228 nxt_openssl_locks_free(void) 229 { 230 int i, n; 231 232 n = CRYPTO_num_locks(); 233 234 CRYPTO_set_locking_callback(NULL); 235 236 for (i = 0; i < n; i++) { 237 nxt_thread_mutex_destroy(&nxt_openssl_locks[i]); 238 } 239 240 OPENSSL_free(nxt_openssl_locks); 241 } 242 243 #endif 244 245 246 static nxt_int_t 247 nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf) 248 { 249 SSL_CTX *ctx; 250 nxt_fd_t fd; 251 const char *ciphers, *ca_certificate; 252 STACK_OF(X509_NAME) *list; 253 254 ctx = SSL_CTX_new(SSLv23_server_method()); 255 if (ctx == NULL) { 256 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_CTX_new() failed"); 257 return NXT_ERROR; 258 } 259 260 conf->ctx = ctx; 261 conf->conn_init = nxt_openssl_conn_init; 262 263 #ifdef SSL_OP_NO_RENEGOTIATION 264 /* Renegration is not currently supported. */ 265 SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION); 266 #endif 267 268 #ifdef SSL_OP_NO_COMPRESSION 269 /* 270 * Disable gzip compression in OpenSSL 1.0.0, 271 * this saves about 522K per connection. 272 */ 273 SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); 274 #endif 275 276 #ifdef SSL_MODE_RELEASE_BUFFERS 277 278 if (nxt_openssl_version >= 10001078) { 279 /* 280 * Allow to release read and write buffers in OpenSSL 1.0.0, 281 * this saves about 34K per idle connection. It is not safe 282 * before OpenSSL 1.0.1h (CVE-2010-5298). 283 */ 284 SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); 285 } 286 287 #endif 288 289 fd = conf->chain_file; 290 291 if (nxt_openssl_chain_file(ctx, fd) != NXT_OK) { 292 nxt_openssl_log_error(task, NXT_LOG_ALERT, 293 "nxt_openssl_chain_file() failed"); 294 goto fail; 295 } 296 /* 297 key = conf->certificate_key; 298 299 if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) == 0) { 300 nxt_openssl_log_error(task, NXT_LOG_ALERT, 301 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", 302 key); 303 goto fail; 304 } 305 */ 306 ciphers = (conf->ciphers != NULL) ? conf->ciphers : "HIGH:!aNULL:!MD5"; 307 308 if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) { 309 nxt_openssl_log_error(task, NXT_LOG_ALERT, 310 "SSL_CTX_set_cipher_list(\"%s\") failed", 311 ciphers); 312 goto fail; 313 } 314 315 SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 316 317 if (conf->ca_certificate != NULL) { 318 319 /* TODO: verify callback */ 320 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); 321 322 /* TODO: verify depth */ 323 SSL_CTX_set_verify_depth(ctx, 1); 324 325 ca_certificate = conf->ca_certificate; 326 327 if (SSL_CTX_load_verify_locations(ctx, ca_certificate, NULL) == 0) { 328 nxt_openssl_log_error(task, NXT_LOG_ALERT, 329 "SSL_CTX_load_verify_locations(\"%s\") failed", 330 ca_certificate); 331 goto fail; 332 } 333 334 list = SSL_load_client_CA_file(ca_certificate); 335 336 if (list == NULL) { 337 nxt_openssl_log_error(task, NXT_LOG_ALERT, 338 "SSL_load_client_CA_file(\"%s\") failed", 339 ca_certificate); 340 goto fail; 341 } 342 343 /* 344 * SSL_load_client_CA_file() in OpenSSL prior to 0.9.7h and 345 * 0.9.8 versions always leaves an error in the error queue. 346 */ 347 ERR_clear_error(); 348 349 SSL_CTX_set_client_CA_list(ctx, list); 350 } 351 352 return NXT_OK; 353 354 fail: 355 356 SSL_CTX_free(ctx); 357 358 return NXT_ERROR; 359 } 360 361 362 static nxt_int_t 363 nxt_openssl_chain_file(SSL_CTX *ctx, nxt_fd_t fd) 364 { 365 BIO *bio; 366 X509 *cert, *ca; 367 long reason; 368 EVP_PKEY *key; 369 nxt_int_t ret; 370 371 bio = BIO_new(BIO_s_fd()); 372 if (bio == NULL) { 373 return NXT_ERROR; 374 } 375 376 BIO_set_fd(bio, fd, BIO_CLOSE); 377 378 ret = NXT_ERROR; 379 380 cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); 381 if (cert == NULL) { 382 goto end; 383 } 384 385 if (SSL_CTX_use_certificate(ctx, cert) != 1) { 386 goto end; 387 } 388 389 for ( ;; ) { 390 ca = PEM_read_bio_X509(bio, NULL, NULL, NULL); 391 392 if (ca == NULL) { 393 reason = ERR_GET_REASON(ERR_peek_last_error()); 394 if (reason != PEM_R_NO_START_LINE) { 395 goto end; 396 } 397 398 ERR_clear_error(); 399 break; 400 } 401 402 /* 403 * Note that ca isn't freed if it was successfully added to the chain, 404 * while the main certificate needs a X509_free() call, since 405 * its reference count is increased by SSL_CTX_use_certificate(). 406 */ 407 #ifdef SSL_CTX_add0_chain_cert 408 if (SSL_CTX_add0_chain_cert(ctx, ca) != 1) { 409 #else 410 if (SSL_CTX_add_extra_chain_cert(ctx, ca) != 1) { 411 #endif 412 X509_free(ca); 413 goto end; 414 } 415 } 416 417 if (BIO_reset(bio) != 0) { 418 goto end; 419 } 420 421 key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); 422 if (key == NULL) { 423 goto end; 424 } 425 426 if (SSL_CTX_use_PrivateKey(ctx, key) == 1) { 427 ret = NXT_OK; 428 } 429 430 EVP_PKEY_free(key); 431 432 end: 433 434 X509_free(cert); 435 BIO_free(bio); 436 437 return ret; 438 } 439 440 441 static void 442 nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf) 443 { 444 SSL_CTX_free(conf->ctx); 445 } 446 447 448 static void 449 nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf, nxt_conn_t *c) 450 { 451 int ret; 452 SSL *s; 453 SSL_CTX *ctx; 454 nxt_openssl_conn_t *tls; 455 456 nxt_log_debug(c->socket.log, "openssl conn init"); 457 458 tls = nxt_mp_zget(c->mem_pool, sizeof(nxt_openssl_conn_t)); 459 if (tls == NULL) { 460 goto fail; 461 } 462 463 c->u.tls = tls; 464 nxt_buf_mem_set_size(&tls->buffer, conf->buffer_size); 465 466 ctx = conf->ctx; 467 468 s = SSL_new(ctx); 469 if (s == NULL) { 470 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_new() failed"); 471 goto fail; 472 } 473 474 tls->session = s; 475 tls->conn = c; 476 477 ret = SSL_set_fd(s, c->socket.fd); 478 479 if (ret == 0) { 480 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_fd(%d) failed", 481 c->socket.fd); 482 goto fail; 483 } 484 485 SSL_set_accept_state(s); 486 487 if (SSL_set_ex_data(s, nxt_openssl_connection_index, c) == 0) { 488 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_ex_data() failed"); 489 goto fail; 490 } 491 492 c->io = &nxt_openssl_conn_io; 493 c->sendfile = NXT_CONN_SENDFILE_OFF; 494 495 nxt_openssl_conn_handshake(task, c, c->socket.data); 496 return; 497 498 fail: 499 500 nxt_work_queue_add(c->read_work_queue, c->read_state->error_handler, 501 task, c, c->socket.data); 502 } 503 504 505 nxt_inline void 506 nxt_openssl_conn_free(nxt_task_t *task, nxt_conn_t *c) 507 { 508 nxt_openssl_conn_t *tls; 509 510 nxt_debug(task, "openssl conn free"); 511 512 tls = c->u.tls; 513 514 if (tls != NULL) { 515 c->u.tls = NULL; 516 nxt_free(tls->buffer.start); 517 SSL_free(tls->session); 518 } 519 } 520 521 522 static void 523 nxt_openssl_conn_handshake(nxt_task_t *task, void *obj, void *data) 524 { 525 int ret; 526 nxt_int_t n; 527 nxt_err_t err; 528 nxt_conn_t *c; 529 nxt_work_queue_t *wq; 530 nxt_work_handler_t handler; 531 nxt_openssl_conn_t *tls; 532 const nxt_conn_state_t *state; 533 534 c = obj; 535 536 nxt_debug(task, "openssl conn handshake fd:%d", c->socket.fd); 537 538 if (c->socket.error != 0) { 539 return; 540 } 541 542 tls = c->u.tls; 543 544 if (tls == NULL) { 545 return; 546 } 547 548 nxt_debug(task, "openssl conn handshake: %d times", tls->times); 549 550 /* "tls->times == 1" is suitable to run SSL_do_handshake() in job. */ 551 552 ret = SSL_do_handshake(tls->session); 553 554 err = (ret <= 0) ? nxt_socket_errno : 0; 555 556 nxt_thread_time_debug_update(task->thread); 557 558 nxt_debug(task, "SSL_do_handshake(%d): %d err:%d", c->socket.fd, ret, err); 559 560 state = (c->read_state != NULL) ? c->read_state : c->write_state; 561 562 if (ret > 0) { 563 /* ret == 1, the handshake was successfully completed. */ 564 tls->handshake = 1; 565 566 if (c->read_state != NULL) { 567 if (state->io_read_handler != NULL || c->read != NULL) { 568 nxt_conn_read(task->thread->engine, c); 569 return; 570 } 571 572 } else { 573 if (c->write != NULL) { 574 nxt_conn_write(task->thread->engine, c); 575 return; 576 } 577 } 578 579 handler = state->ready_handler; 580 581 } else { 582 c->socket.read_handler = nxt_openssl_conn_handshake; 583 c->socket.write_handler = nxt_openssl_conn_handshake; 584 585 n = nxt_openssl_conn_test_error(task, c, ret, err, 586 NXT_OPENSSL_HANDSHAKE); 587 switch (n) { 588 589 case NXT_AGAIN: 590 if (tls->ssl_error == SSL_ERROR_WANT_READ && tls->times < 2) { 591 tls->times++; 592 } 593 594 return; 595 596 case 0: 597 handler = state->close_handler; 598 break; 599 600 default: 601 case NXT_ERROR: 602 nxt_openssl_conn_error(task, err, "SSL_do_handshake(%d) failed", 603 c->socket.fd); 604 605 handler = state->error_handler; 606 break; 607 } 608 } 609 610 wq = (c->read_state != NULL) ? c->read_work_queue : c->write_work_queue; 611 612 nxt_work_queue_add(wq, handler, task, c, data); 613 } 614 615 616 static ssize_t 617 nxt_openssl_conn_io_recvbuf(nxt_conn_t *c, nxt_buf_t *b) 618 { 619 int ret; 620 size_t size; 621 nxt_int_t n; 622 nxt_err_t err; 623 nxt_openssl_conn_t *tls; 624 625 tls = c->u.tls; 626 size = b->mem.end - b->mem.free; 627 628 ret = SSL_read(tls->session, b->mem.free, size); 629 630 err = (ret <= 0) ? nxt_socket_errno : 0; 631 632 nxt_debug(c->socket.task, "SSL_read(%d, %p, %uz): %d err:%d", 633 c->socket.fd, b->mem.free, size, ret, err); 634 635 if (ret > 0) { 636 return ret; 637 } 638 639 n = nxt_openssl_conn_test_error(c->socket.task, c, ret, err, 640 NXT_OPENSSL_READ); 641 if (n == NXT_ERROR) { 642 nxt_openssl_conn_error(c->socket.task, err, 643 "SSL_read(%d, %p, %uz) failed", 644 c->socket.fd, b->mem.free, size); 645 } 646 647 return n; 648 } 649 650 651 static ssize_t 652 nxt_openssl_conn_io_sendbuf(nxt_task_t *task, nxt_sendbuf_t *sb) 653 { 654 nxt_uint_t niov; 655 struct iovec iov; 656 657 niov = nxt_sendbuf_mem_coalesce0(task, sb, &iov, 1); 658 659 if (niov == 0 && sb->sync) { 660 return 0; 661 } 662 663 return nxt_openssl_conn_io_send(task, sb, iov.iov_base, iov.iov_len); 664 } 665 666 667 static ssize_t 668 nxt_openssl_conn_io_send(nxt_task_t *task, nxt_sendbuf_t *sb, void *buf, 669 size_t size) 670 { 671 int ret; 672 nxt_err_t err; 673 nxt_int_t n; 674 nxt_conn_t *c; 675 nxt_openssl_conn_t *tls; 676 677 tls = sb->tls; 678 679 ret = SSL_write(tls->session, buf, size); 680 681 err = (ret <= 0) ? nxt_socket_errno : 0; 682 683 nxt_debug(task, "SSL_write(%d, %p, %uz): %d err:%d", 684 sb->socket, buf, size, ret, err); 685 686 if (ret > 0) { 687 return ret; 688 } 689 690 c = tls->conn; 691 c->socket.write_ready = sb->ready; 692 693 n = nxt_openssl_conn_test_error(task, c, ret, err, NXT_OPENSSL_WRITE); 694 695 sb->ready = c->socket.write_ready; 696 697 if (n == NXT_ERROR) { 698 sb->error = c->socket.error; 699 nxt_openssl_conn_error(task, err, "SSL_write(%d, %p, %uz) failed", 700 sb->socket, buf, size); 701 } 702 703 return n; 704 } 705 706 707 static void 708 nxt_openssl_conn_io_shutdown(nxt_task_t *task, void *obj, void *data) 709 { 710 int ret, mode; 711 SSL *s; 712 nxt_err_t err; 713 nxt_int_t n; 714 nxt_bool_t quiet, once; 715 nxt_conn_t *c; 716 nxt_openssl_conn_t *tls; 717 nxt_work_handler_t handler; 718 719 c = obj; 720 721 nxt_debug(task, "openssl conn shutdown fd:%d", c->socket.fd); 722 723 if (c->socket.error != 0) { 724 return; 725 } 726 727 c->read_state = NULL; 728 tls = c->u.tls; 729 730 if (tls == NULL) { 731 return; 732 } 733 734 s = tls->session; 735 736 if (s == NULL || !tls->handshake) { 737 handler = c->write_state->ready_handler; 738 goto done; 739 } 740 741 mode = SSL_get_shutdown(s); 742 743 if (c->socket.timedout || c->socket.error != 0) { 744 quiet = 1; 745 746 } else if (c->socket.closed && !(mode & SSL_RECEIVED_SHUTDOWN)) { 747 quiet = 1; 748 749 } else { 750 quiet = 0; 751 } 752 753 SSL_set_quiet_shutdown(s, quiet); 754 755 once = 1; 756 757 for ( ;; ) { 758 SSL_set_shutdown(s, mode); 759 760 ret = SSL_shutdown(s); 761 762 err = (ret <= 0) ? nxt_socket_errno : 0; 763 764 nxt_debug(task, "SSL_shutdown(%d, %d, %b): %d err:%d", 765 c->socket.fd, mode, quiet, ret, err); 766 767 if (ret > 0) { 768 /* ret == 1, the shutdown was successfully completed. */ 769 handler = c->write_state->ready_handler; 770 goto done; 771 } 772 773 if (ret == 0) { 774 /* 775 * If SSL_shutdown() returns 0 then it should be called 776 * again. The second SSL_shutdown() call should return 777 * -1/SSL_ERROR_WANT_READ or -1/SSL_ERROR_WANT_WRITE. 778 * OpenSSL prior to 0.9.8m version however never returns 779 * -1 at all. Fortunately, OpenSSL preserves internally 780 * correct status available via SSL_get_error(-1). 781 */ 782 if (once) { 783 once = 0; 784 mode = SSL_get_shutdown(s); 785 continue; 786 } 787 788 ret = -1; 789 } 790 791 /* ret == -1 */ 792 793 break; 794 } 795 796 c->socket.read_handler = nxt_openssl_conn_io_shutdown; 797 c->socket.write_handler = nxt_openssl_conn_io_shutdown; 798 c->socket.error_handler = c->write_state->error_handler; 799 800 n = nxt_openssl_conn_test_error(task, c, ret, err, NXT_OPENSSL_SHUTDOWN); 801 802 switch (n) { 803 804 case 0: 805 handler = c->write_state->close_handler; 806 break; 807 808 case NXT_AGAIN: 809 nxt_timer_add(task->thread->engine, &c->read_timer, 5000); 810 return; 811 812 default: 813 case NXT_ERROR: 814 nxt_openssl_conn_error(task, err, "SSL_shutdown(%d) failed", 815 c->socket.fd); 816 handler = c->write_state->error_handler; 817 } 818 819 done: 820 821 nxt_openssl_conn_free(task, c); 822 823 nxt_work_queue_add(c->write_work_queue, handler, task, c, data); 824 } 825 826 827 static nxt_int_t 828 nxt_openssl_conn_test_error(nxt_task_t *task, nxt_conn_t *c, int ret, 829 nxt_err_t sys_err, nxt_openssl_io_t io) 830 { 831 u_long lib_err; 832 nxt_openssl_conn_t *tls; 833 834 tls = c->u.tls; 835 836 tls->ssl_error = SSL_get_error(tls->session, ret); 837 838 nxt_debug(task, "SSL_get_error(): %d", tls->ssl_error); 839 840 switch (tls->ssl_error) { 841 842 case SSL_ERROR_WANT_READ: 843 c->socket.read_ready = 0; 844 845 if (io != NXT_OPENSSL_READ) { 846 nxt_fd_event_block_write(task->thread->engine, &c->socket); 847 848 if (nxt_fd_event_is_disabled(c->socket.read)) { 849 nxt_fd_event_enable_read(task->thread->engine, &c->socket); 850 } 851 } 852 853 return NXT_AGAIN; 854 855 case SSL_ERROR_WANT_WRITE: 856 c->socket.write_ready = 0; 857 858 if (io != NXT_OPENSSL_WRITE) { 859 nxt_fd_event_block_read(task->thread->engine, &c->socket); 860 861 if (nxt_fd_event_is_disabled(c->socket.write)) { 862 nxt_fd_event_enable_write(task->thread->engine, &c->socket); 863 } 864 } 865 866 return NXT_AGAIN; 867 868 case SSL_ERROR_SYSCALL: 869 lib_err = ERR_peek_error(); 870 871 nxt_debug(task, "ERR_peek_error(): %l", lib_err); 872 873 if (sys_err != 0 || lib_err != 0) { 874 c->socket.error = sys_err; 875 return NXT_ERROR; 876 } 877 878 /* A connection was just closed. */ 879 c->socket.closed = 1; 880 return 0; 881 882 case SSL_ERROR_ZERO_RETURN: 883 /* A "close notify" alert. */ 884 return 0; 885 886 default: /* SSL_ERROR_SSL, etc. */ 887 c->socket.error = 1000; /* Nonexistent errno code. */ 888 return NXT_ERROR; 889 } 890 } 891 892 893 static void nxt_cdecl 894 nxt_openssl_conn_error(nxt_task_t *task, nxt_err_t err, const char *fmt, ...) 895 { 896 u_char *p, *end; 897 va_list args; 898 nxt_uint_t level; 899 u_char msg[NXT_MAX_ERROR_STR]; 900 901 level = nxt_openssl_log_error_level(err); 902 903 if (nxt_log_level_enough(task->log, level)) { 904 905 end = msg + sizeof(msg); 906 907 va_start(args, fmt); 908 p = nxt_vsprintf(msg, end, fmt, args); 909 va_end(args); 910 911 if (err != 0) { 912 p = nxt_sprintf(p, end, " %E", err); 913 } 914 915 p = nxt_openssl_copy_error(p, end); 916 917 nxt_log(task, level, "%*s", p - msg, msg); 918 919 } else { 920 ERR_clear_error(); 921 } 922 } 923 924 925 static nxt_uint_t 926 nxt_openssl_log_error_level(nxt_err_t err) 927 { 928 switch (ERR_GET_REASON(ERR_peek_error())) { 929 930 case 0: 931 return nxt_socket_error_level(err); 932 933 case SSL_R_BAD_CHANGE_CIPHER_SPEC: /* 103 */ 934 case SSL_R_BLOCK_CIPHER_PAD_IS_WRONG: /* 129 */ 935 case SSL_R_DIGEST_CHECK_FAILED: /* 149 */ 936 case SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST: /* 151 */ 937 case SSL_R_EXCESSIVE_MESSAGE_SIZE: /* 152 */ 938 case SSL_R_LENGTH_MISMATCH: /* 159 */ 939 #ifdef SSL_R_NO_CIPHERS_PASSED 940 case SSL_R_NO_CIPHERS_PASSED: /* 182 */ 941 #endif 942 case SSL_R_NO_CIPHERS_SPECIFIED: /* 183 */ 943 case SSL_R_NO_COMPRESSION_SPECIFIED: /* 187 */ 944 case SSL_R_NO_SHARED_CIPHER: /* 193 */ 945 case SSL_R_RECORD_LENGTH_MISMATCH: /* 213 */ 946 #ifdef SSL_R_PARSE_TLSEXT 947 case SSL_R_PARSE_TLSEXT: /* 227 */ 948 #endif 949 case SSL_R_UNEXPECTED_MESSAGE: /* 244 */ 950 case SSL_R_UNEXPECTED_RECORD: /* 245 */ 951 case SSL_R_UNKNOWN_ALERT_TYPE: /* 246 */ 952 case SSL_R_UNKNOWN_PROTOCOL: /* 252 */ 953 case SSL_R_WRONG_VERSION_NUMBER: /* 267 */ 954 case SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC: /* 281 */ 955 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG 956 case SSL_R_RENEGOTIATE_EXT_TOO_LONG: /* 335 */ 957 case SSL_R_RENEGOTIATION_ENCODING_ERR: /* 336 */ 958 case SSL_R_RENEGOTIATION_MISMATCH: /* 337 */ 959 #endif 960 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 961 case SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED: /* 338 */ 962 #endif 963 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 964 case SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING: /* 345 */ 965 #endif 966 case 1000:/* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ 967 case SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE: /* 1010 */ 968 case SSL_R_SSLV3_ALERT_BAD_RECORD_MAC: /* 1020 */ 969 case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED: /* 1021 */ 970 case SSL_R_TLSV1_ALERT_RECORD_OVERFLOW: /* 1022 */ 971 case SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE: /* 1030 */ 972 case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE: /* 1040 */ 973 case SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER: /* 1047 */ 974 break; 975 976 case SSL_R_SSLV3_ALERT_NO_CERTIFICATE: /* 1041 */ 977 case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE: /* 1042 */ 978 case SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE: /* 1043 */ 979 case SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED: /* 1044 */ 980 case SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED: /* 1045 */ 981 case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN: /* 1046 */ 982 case SSL_R_TLSV1_ALERT_UNKNOWN_CA: /* 1048 */ 983 case SSL_R_TLSV1_ALERT_ACCESS_DENIED: /* 1049 */ 984 case SSL_R_TLSV1_ALERT_DECODE_ERROR: /* 1050 */ 985 case SSL_R_TLSV1_ALERT_DECRYPT_ERROR: /* 1051 */ 986 case SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION: /* 1060 */ 987 case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION: /* 1070 */ 988 case SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY: /* 1071 */ 989 case SSL_R_TLSV1_ALERT_INTERNAL_ERROR: /* 1080 */ 990 case SSL_R_TLSV1_ALERT_USER_CANCELLED: /* 1090 */ 991 case SSL_R_TLSV1_ALERT_NO_RENEGOTIATION: /* 1100 */ 992 return NXT_LOG_ERR; 993 994 default: 995 return NXT_LOG_ALERT; 996 } 997 998 return NXT_LOG_INFO; 999 } 1000 1001 1002 void nxt_cdecl 1003 nxt_openssl_log_error(nxt_task_t *task, nxt_uint_t level, const char *fmt, ...) 1004 { 1005 u_char *p, *end; 1006 va_list args; 1007 u_char msg[NXT_MAX_ERROR_STR]; 1008 1009 end = msg + sizeof(msg); 1010 1011 va_start(args, fmt); 1012 p = nxt_vsprintf(msg, end, fmt, args); 1013 va_end(args); 1014 1015 p = nxt_openssl_copy_error(p, end); 1016 1017 nxt_log(task, level, "%*s", p - msg, msg); 1018 } 1019 1020 1021 u_char * 1022 nxt_openssl_copy_error(u_char *p, u_char *end) 1023 { 1024 int flags; 1025 u_long err; 1026 nxt_bool_t clear; 1027 const char *data, *delimiter; 1028 1029 err = ERR_peek_error(); 1030 if (err == 0) { 1031 return p; 1032 } 1033 1034 /* Log the most relevant error message ... */ 1035 data = ERR_reason_error_string(err); 1036 1037 p = nxt_sprintf(p, end, " (%d: %s) (OpenSSL: ", ERR_GET_REASON(err), data); 1038 1039 /* 1040 * ... followed by all queued cumbersome OpenSSL error messages 1041 * and drain the error queue. 1042 */ 1043 delimiter = ""; 1044 clear = 0; 1045 1046 for ( ;; ) { 1047 err = ERR_get_error_line_data(NULL, NULL, &data, &flags); 1048 if (err == 0) { 1049 break; 1050 } 1051 1052 p = nxt_sprintf(p, end, "%s", delimiter); 1053 1054 ERR_error_string_n(err, (char *) p, end - p); 1055 1056 while (p < end && *p != '\0') { 1057 p++; 1058 } 1059 1060 if ((flags & ERR_TXT_STRING) != 0) { 1061 p = nxt_sprintf(p, end, ":%s", data); 1062 } 1063 1064 clear |= ((flags & ERR_TXT_MALLOCED) != 0); 1065 1066 delimiter = "; "; 1067 } 1068 1069 /* Deallocate additional data. */ 1070 1071 if (clear) { 1072 ERR_clear_error(); 1073 } 1074 1075 if (p < end) { 1076 *p++ = ')'; 1077 } 1078 1079 return p; 1080 } 1081