1 2 /* 3 * Copyright (C) Igor Sysoev 4 * Copyright (C) NGINX, Inc. 5 */ 6 7 #include <nxt_main.h> 8 #include <openssl/ssl.h> 9 #include <openssl/conf.h> 10 #include <openssl/err.h> 11 #include <openssl/rand.h> 12 13 14 typedef struct { 15 SSL *session; 16 nxt_conn_t *conn; 17 18 int ssl_error; 19 uint8_t times; /* 2 bits */ 20 uint8_t handshake; /* 1 bit */ 21 22 nxt_buf_mem_t buffer; 23 } nxt_openssl_conn_t; 24 25 26 typedef enum { 27 NXT_OPENSSL_HANDSHAKE = 0, 28 NXT_OPENSSL_READ, 29 NXT_OPENSSL_WRITE, 30 NXT_OPENSSL_SHUTDOWN, 31 } nxt_openssl_io_t; 32 33 34 static nxt_int_t nxt_openssl_library_init(nxt_task_t *task); 35 static void nxt_openssl_library_free(nxt_task_t *task); 36 #if OPENSSL_VERSION_NUMBER < 0x10100004L 37 static nxt_int_t nxt_openssl_locks_init(void); 38 static void nxt_openssl_lock(int mode, int type, const char *file, int line); 39 static unsigned long nxt_openssl_thread_id(void); 40 static void nxt_openssl_locks_free(void); 41 #endif 42 static nxt_int_t nxt_openssl_server_init(nxt_task_t *task, 43 nxt_tls_conf_t *conf); 44 static nxt_int_t nxt_openssl_chain_file(SSL_CTX *ctx, nxt_fd_t fd); 45 static void nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf); 46 static void nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf, 47 nxt_conn_t *c); 48 static void nxt_openssl_conn_handshake(nxt_task_t *task, void *obj, void *data); 49 static ssize_t nxt_openssl_conn_io_recvbuf(nxt_conn_t *c, nxt_buf_t *b); 50 static ssize_t nxt_openssl_conn_io_sendbuf(nxt_task_t *task, nxt_sendbuf_t *sb); 51 static ssize_t nxt_openssl_conn_io_send(nxt_task_t *task, nxt_sendbuf_t *sb, 52 void *buf, size_t size); 53 static void nxt_openssl_conn_io_shutdown(nxt_task_t *task, void *obj, 54 void *data); 55 static nxt_int_t nxt_openssl_conn_test_error(nxt_task_t *task, nxt_conn_t *c, 56 int ret, nxt_err_t sys_err, nxt_openssl_io_t io); 57 static void nxt_cdecl nxt_openssl_conn_error(nxt_task_t *task, 58 nxt_err_t err, const char *fmt, ...); 59 static nxt_uint_t nxt_openssl_log_error_level(nxt_err_t err); 60 61 62 const nxt_tls_lib_t nxt_openssl_lib = { 63 .library_init = nxt_openssl_library_init, 64 .library_free = nxt_openssl_library_free, 65 66 .server_init = nxt_openssl_server_init, 67 .server_free = nxt_openssl_server_free, 68 }; 69 70 71 static nxt_conn_io_t nxt_openssl_conn_io = { 72 .read = nxt_conn_io_read, 73 .recvbuf = nxt_openssl_conn_io_recvbuf, 74 75 .write = nxt_conn_io_write, 76 .sendbuf = nxt_openssl_conn_io_sendbuf, 77 78 .shutdown = nxt_openssl_conn_io_shutdown, 79 }; 80 81 82 static long nxt_openssl_version; 83 static int nxt_openssl_connection_index; 84 85 86 static nxt_int_t 87 nxt_openssl_library_init(nxt_task_t *task) 88 { 89 int index; 90 91 if (nxt_fast_path(nxt_openssl_version != 0)) { 92 return NXT_OK; 93 } 94 95 #if OPENSSL_VERSION_NUMBER >= 0x10100003L 96 97 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); 98 99 #else 100 { 101 nxt_int_t ret; 102 103 SSL_load_error_strings(); 104 105 OPENSSL_config(NULL); 106 107 /* 108 * SSL_library_init(3): 109 * 110 * SSL_library_init() always returns "1", 111 * so it is safe to discard the return value. 112 */ 113 (void) SSL_library_init(); 114 115 ret = nxt_openssl_locks_init(); 116 if (nxt_slow_path(ret != NXT_OK)) { 117 return ret; 118 } 119 } 120 121 #endif 122 123 nxt_openssl_version = SSLeay(); 124 125 nxt_log(task, NXT_LOG_INFO, "%s, %xl", 126 SSLeay_version(SSLEAY_VERSION), nxt_openssl_version); 127 128 #ifndef SSL_OP_NO_COMPRESSION 129 { 130 /* 131 * Disable gzip compression in OpenSSL prior to 1.0.0 132 * version, this saves about 522K per connection. 133 */ 134 int n; 135 STACK_OF(SSL_COMP) *ssl_comp_methods; 136 137 ssl_comp_methods = SSL_COMP_get_compression_methods(); 138 139 for (n = sk_SSL_COMP_num(ssl_comp_methods); n != 0; n--) { 140 (void) sk_SSL_COMP_pop(ssl_comp_methods); 141 } 142 } 143 #endif 144 145 index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); 146 147 if (index == -1) { 148 nxt_openssl_log_error(task, NXT_LOG_ALERT, 149 "SSL_get_ex_new_index() failed"); 150 return NXT_ERROR; 151 } 152 153 nxt_openssl_connection_index = index; 154 155 return NXT_OK; 156 } 157 158 159 #if OPENSSL_VERSION_NUMBER >= 0x10100003L 160 161 static void 162 nxt_openssl_library_free(nxt_task_t *task) 163 { 164 } 165 166 #else 167 168 static nxt_thread_mutex_t *nxt_openssl_locks; 169 170 static nxt_int_t 171 nxt_openssl_locks_init(void) 172 { 173 int i, n; 174 nxt_int_t ret; 175 176 n = CRYPTO_num_locks(); 177 178 nxt_openssl_locks = OPENSSL_malloc(n * sizeof(nxt_thread_mutex_t)); 179 if (nxt_slow_path(nxt_openssl_locks == NULL)) { 180 return NXT_ERROR; 181 } 182 183 for (i = 0; i < n; i++) { 184 ret = nxt_thread_mutex_create(&nxt_openssl_locks[i]); 185 if (nxt_slow_path(ret != NXT_OK)) { 186 return ret; 187 } 188 } 189 190 CRYPTO_set_locking_callback(nxt_openssl_lock); 191 192 CRYPTO_set_id_callback(nxt_openssl_thread_id); 193 194 return NXT_OK; 195 } 196 197 198 static void 199 nxt_openssl_lock(int mode, int type, const char *file, int line) 200 { 201 nxt_thread_mutex_t *lock; 202 203 lock = &nxt_openssl_locks[type]; 204 205 if ((mode & CRYPTO_LOCK) != 0) { 206 (void) nxt_thread_mutex_lock(lock); 207 208 } else { 209 (void) nxt_thread_mutex_unlock(lock); 210 } 211 } 212 213 214 static u_long 215 nxt_openssl_thread_id(void) 216 { 217 return (u_long) nxt_thread_handle(); 218 } 219 220 221 static void 222 nxt_openssl_library_free(nxt_task_t *task) 223 { 224 nxt_openssl_locks_free(); 225 } 226 227 228 static void 229 nxt_openssl_locks_free(void) 230 { 231 int i, n; 232 233 n = CRYPTO_num_locks(); 234 235 CRYPTO_set_locking_callback(NULL); 236 237 for (i = 0; i < n; i++) { 238 nxt_thread_mutex_destroy(&nxt_openssl_locks[i]); 239 } 240 241 OPENSSL_free(nxt_openssl_locks); 242 } 243 244 #endif 245 246 247 static nxt_int_t 248 nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf) 249 { 250 SSL_CTX *ctx; 251 nxt_fd_t fd; 252 const char *ciphers, *ca_certificate; 253 STACK_OF(X509_NAME) *list; 254 255 ctx = SSL_CTX_new(SSLv23_server_method()); 256 if (ctx == NULL) { 257 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_CTX_new() failed"); 258 return NXT_ERROR; 259 } 260 261 conf->ctx = ctx; 262 conf->conn_init = nxt_openssl_conn_init; 263 264 #ifdef SSL_OP_NO_RENEGOTIATION 265 /* Renegration is not currently supported. */ 266 SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION); 267 #endif 268 269 #ifdef SSL_OP_NO_COMPRESSION 270 /* 271 * Disable gzip compression in OpenSSL 1.0.0, 272 * this saves about 522K per connection. 273 */ 274 SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); 275 #endif 276 277 #ifdef SSL_MODE_RELEASE_BUFFERS 278 279 if (nxt_openssl_version >= 10001078) { 280 /* 281 * Allow to release read and write buffers in OpenSSL 1.0.0, 282 * this saves about 34K per idle connection. It is not safe 283 * before OpenSSL 1.0.1h (CVE-2010-5298). 284 */ 285 SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); 286 } 287 288 #endif 289 290 fd = conf->chain_file; 291 292 if (nxt_openssl_chain_file(ctx, fd) != NXT_OK) { 293 nxt_openssl_log_error(task, NXT_LOG_ALERT, 294 "nxt_openssl_chain_file() failed"); 295 goto fail; 296 } 297 /* 298 key = conf->certificate_key; 299 300 if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) == 0) { 301 nxt_openssl_log_error(task, NXT_LOG_ALERT, 302 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", 303 key); 304 goto fail; 305 } 306 */ 307 ciphers = (conf->ciphers != NULL) ? conf->ciphers : "HIGH:!aNULL:!MD5"; 308 309 if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) { 310 nxt_openssl_log_error(task, NXT_LOG_ALERT, 311 "SSL_CTX_set_cipher_list(\"%s\") failed", 312 ciphers); 313 goto fail; 314 } 315 316 SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 317 318 if (conf->ca_certificate != NULL) { 319 320 /* TODO: verify callback */ 321 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); 322 323 /* TODO: verify depth */ 324 SSL_CTX_set_verify_depth(ctx, 1); 325 326 ca_certificate = conf->ca_certificate; 327 328 if (SSL_CTX_load_verify_locations(ctx, ca_certificate, NULL) == 0) { 329 nxt_openssl_log_error(task, NXT_LOG_ALERT, 330 "SSL_CTX_load_verify_locations(\"%s\") failed", 331 ca_certificate); 332 goto fail; 333 } 334 335 list = SSL_load_client_CA_file(ca_certificate); 336 337 if (list == NULL) { 338 nxt_openssl_log_error(task, NXT_LOG_ALERT, 339 "SSL_load_client_CA_file(\"%s\") failed", 340 ca_certificate); 341 goto fail; 342 } 343 344 /* 345 * SSL_load_client_CA_file() in OpenSSL prior to 0.9.7h and 346 * 0.9.8 versions always leaves an error in the error queue. 347 */ 348 ERR_clear_error(); 349 350 SSL_CTX_set_client_CA_list(ctx, list); 351 } 352 353 return NXT_OK; 354 355 fail: 356 357 SSL_CTX_free(ctx); 358 359 #if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \ 360 && OPENSSL_VERSION_NUMBER < 0x1010101fL) 361 RAND_keep_random_devices_open(0); 362 #endif 363 364 return NXT_ERROR; 365 } 366 367 368 static nxt_int_t 369 nxt_openssl_chain_file(SSL_CTX *ctx, nxt_fd_t fd) 370 { 371 BIO *bio; 372 X509 *cert, *ca; 373 long reason; 374 EVP_PKEY *key; 375 nxt_int_t ret; 376 377 bio = BIO_new(BIO_s_fd()); 378 if (bio == NULL) { 379 return NXT_ERROR; 380 } 381 382 BIO_set_fd(bio, fd, BIO_CLOSE); 383 384 ret = NXT_ERROR; 385 386 cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); 387 if (cert == NULL) { 388 goto end; 389 } 390 391 if (SSL_CTX_use_certificate(ctx, cert) != 1) { 392 goto end; 393 } 394 395 for ( ;; ) { 396 ca = PEM_read_bio_X509(bio, NULL, NULL, NULL); 397 398 if (ca == NULL) { 399 reason = ERR_GET_REASON(ERR_peek_last_error()); 400 if (reason != PEM_R_NO_START_LINE) { 401 goto end; 402 } 403 404 ERR_clear_error(); 405 break; 406 } 407 408 /* 409 * Note that ca isn't freed if it was successfully added to the chain, 410 * while the main certificate needs a X509_free() call, since 411 * its reference count is increased by SSL_CTX_use_certificate(). 412 */ 413 #ifdef SSL_CTX_add0_chain_cert 414 if (SSL_CTX_add0_chain_cert(ctx, ca) != 1) { 415 #else 416 if (SSL_CTX_add_extra_chain_cert(ctx, ca) != 1) { 417 #endif 418 X509_free(ca); 419 goto end; 420 } 421 } 422 423 if (BIO_reset(bio) != 0) { 424 goto end; 425 } 426 427 key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); 428 if (key == NULL) { 429 goto end; 430 } 431 432 if (SSL_CTX_use_PrivateKey(ctx, key) == 1) { 433 ret = NXT_OK; 434 } 435 436 EVP_PKEY_free(key); 437 438 end: 439 440 X509_free(cert); 441 BIO_free(bio); 442 443 return ret; 444 } 445 446 447 static void 448 nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf) 449 { 450 SSL_CTX_free(conf->ctx); 451 452 #if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \ 453 && OPENSSL_VERSION_NUMBER < 0x1010101fL) 454 RAND_keep_random_devices_open(0); 455 #endif 456 } 457 458 459 static void 460 nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf, nxt_conn_t *c) 461 { 462 int ret; 463 SSL *s; 464 SSL_CTX *ctx; 465 nxt_openssl_conn_t *tls; 466 467 nxt_log_debug(c->socket.log, "openssl conn init"); 468 469 tls = nxt_mp_zget(c->mem_pool, sizeof(nxt_openssl_conn_t)); 470 if (tls == NULL) { 471 goto fail; 472 } 473 474 c->u.tls = tls; 475 nxt_buf_mem_set_size(&tls->buffer, conf->buffer_size); 476 477 ctx = conf->ctx; 478 479 s = SSL_new(ctx); 480 if (s == NULL) { 481 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_new() failed"); 482 goto fail; 483 } 484 485 tls->session = s; 486 tls->conn = c; 487 488 ret = SSL_set_fd(s, c->socket.fd); 489 490 if (ret == 0) { 491 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_fd(%d) failed", 492 c->socket.fd); 493 goto fail; 494 } 495 496 SSL_set_accept_state(s); 497 498 if (SSL_set_ex_data(s, nxt_openssl_connection_index, c) == 0) { 499 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_ex_data() failed"); 500 goto fail; 501 } 502 503 c->io = &nxt_openssl_conn_io; 504 c->sendfile = NXT_CONN_SENDFILE_OFF; 505 506 nxt_openssl_conn_handshake(task, c, c->socket.data); 507 return; 508 509 fail: 510 511 nxt_work_queue_add(c->read_work_queue, c->read_state->error_handler, 512 task, c, c->socket.data); 513 } 514 515 516 nxt_inline void 517 nxt_openssl_conn_free(nxt_task_t *task, nxt_conn_t *c) 518 { 519 nxt_openssl_conn_t *tls; 520 521 nxt_debug(task, "openssl conn free"); 522 523 tls = c->u.tls; 524 525 if (tls != NULL) { 526 c->u.tls = NULL; 527 nxt_free(tls->buffer.start); 528 SSL_free(tls->session); 529 } 530 } 531 532 533 static void 534 nxt_openssl_conn_handshake(nxt_task_t *task, void *obj, void *data) 535 { 536 int ret; 537 nxt_int_t n; 538 nxt_err_t err; 539 nxt_conn_t *c; 540 nxt_work_queue_t *wq; 541 nxt_work_handler_t handler; 542 nxt_openssl_conn_t *tls; 543 const nxt_conn_state_t *state; 544 545 c = obj; 546 547 nxt_debug(task, "openssl conn handshake fd:%d", c->socket.fd); 548 549 if (c->socket.error != 0) { 550 return; 551 } 552 553 tls = c->u.tls; 554 555 if (tls == NULL) { 556 return; 557 } 558 559 nxt_debug(task, "openssl conn handshake: %d times", tls->times); 560 561 /* "tls->times == 1" is suitable to run SSL_do_handshake() in job. */ 562 563 ret = SSL_do_handshake(tls->session); 564 565 err = (ret <= 0) ? nxt_socket_errno : 0; 566 567 nxt_thread_time_debug_update(task->thread); 568 569 nxt_debug(task, "SSL_do_handshake(%d): %d err:%d", c->socket.fd, ret, err); 570 571 state = (c->read_state != NULL) ? c->read_state : c->write_state; 572 573 if (ret > 0) { 574 /* ret == 1, the handshake was successfully completed. */ 575 tls->handshake = 1; 576 577 if (c->read_state != NULL) { 578 if (state->io_read_handler != NULL || c->read != NULL) { 579 nxt_conn_read(task->thread->engine, c); 580 return; 581 } 582 583 } else { 584 if (c->write != NULL) { 585 nxt_conn_write(task->thread->engine, c); 586 return; 587 } 588 } 589 590 handler = state->ready_handler; 591 592 } else { 593 c->socket.read_handler = nxt_openssl_conn_handshake; 594 c->socket.write_handler = nxt_openssl_conn_handshake; 595 596 n = nxt_openssl_conn_test_error(task, c, ret, err, 597 NXT_OPENSSL_HANDSHAKE); 598 switch (n) { 599 600 case NXT_AGAIN: 601 if (tls->ssl_error == SSL_ERROR_WANT_READ && tls->times < 2) { 602 tls->times++; 603 } 604 605 return; 606 607 case 0: 608 handler = state->close_handler; 609 break; 610 611 default: 612 case NXT_ERROR: 613 nxt_openssl_conn_error(task, err, "SSL_do_handshake(%d) failed", 614 c->socket.fd); 615 616 handler = state->error_handler; 617 break; 618 } 619 } 620 621 wq = (c->read_state != NULL) ? c->read_work_queue : c->write_work_queue; 622 623 nxt_work_queue_add(wq, handler, task, c, data); 624 } 625 626 627 static ssize_t 628 nxt_openssl_conn_io_recvbuf(nxt_conn_t *c, nxt_buf_t *b) 629 { 630 int ret; 631 size_t size; 632 nxt_int_t n; 633 nxt_err_t err; 634 nxt_openssl_conn_t *tls; 635 636 tls = c->u.tls; 637 size = b->mem.end - b->mem.free; 638 639 ret = SSL_read(tls->session, b->mem.free, size); 640 641 err = (ret <= 0) ? nxt_socket_errno : 0; 642 643 nxt_debug(c->socket.task, "SSL_read(%d, %p, %uz): %d err:%d", 644 c->socket.fd, b->mem.free, size, ret, err); 645 646 if (ret > 0) { 647 return ret; 648 } 649 650 n = nxt_openssl_conn_test_error(c->socket.task, c, ret, err, 651 NXT_OPENSSL_READ); 652 if (n == NXT_ERROR) { 653 nxt_openssl_conn_error(c->socket.task, err, 654 "SSL_read(%d, %p, %uz) failed", 655 c->socket.fd, b->mem.free, size); 656 } 657 658 return n; 659 } 660 661 662 static ssize_t 663 nxt_openssl_conn_io_sendbuf(nxt_task_t *task, nxt_sendbuf_t *sb) 664 { 665 nxt_uint_t niov; 666 struct iovec iov; 667 668 niov = nxt_sendbuf_mem_coalesce0(task, sb, &iov, 1); 669 670 if (niov == 0 && sb->sync) { 671 return 0; 672 } 673 674 return nxt_openssl_conn_io_send(task, sb, iov.iov_base, iov.iov_len); 675 } 676 677 678 static ssize_t 679 nxt_openssl_conn_io_send(nxt_task_t *task, nxt_sendbuf_t *sb, void *buf, 680 size_t size) 681 { 682 int ret; 683 nxt_err_t err; 684 nxt_int_t n; 685 nxt_conn_t *c; 686 nxt_openssl_conn_t *tls; 687 688 tls = sb->tls; 689 690 ret = SSL_write(tls->session, buf, size); 691 692 err = (ret <= 0) ? nxt_socket_errno : 0; 693 694 nxt_debug(task, "SSL_write(%d, %p, %uz): %d err:%d", 695 sb->socket, buf, size, ret, err); 696 697 if (ret > 0) { 698 return ret; 699 } 700 701 c = tls->conn; 702 c->socket.write_ready = sb->ready; 703 704 n = nxt_openssl_conn_test_error(task, c, ret, err, NXT_OPENSSL_WRITE); 705 706 sb->ready = c->socket.write_ready; 707 708 if (n == NXT_ERROR) { 709 sb->error = c->socket.error; 710 nxt_openssl_conn_error(task, err, "SSL_write(%d, %p, %uz) failed", 711 sb->socket, buf, size); 712 } 713 714 return n; 715 } 716 717 718 static void 719 nxt_openssl_conn_io_shutdown(nxt_task_t *task, void *obj, void *data) 720 { 721 int ret, mode; 722 SSL *s; 723 nxt_err_t err; 724 nxt_int_t n; 725 nxt_bool_t quiet, once; 726 nxt_conn_t *c; 727 nxt_openssl_conn_t *tls; 728 nxt_work_handler_t handler; 729 730 c = obj; 731 732 nxt_debug(task, "openssl conn shutdown fd:%d", c->socket.fd); 733 734 c->read_state = NULL; 735 tls = c->u.tls; 736 737 if (tls == NULL) { 738 return; 739 } 740 741 s = tls->session; 742 743 if (s == NULL || !tls->handshake) { 744 handler = c->write_state->ready_handler; 745 goto done; 746 } 747 748 mode = SSL_get_shutdown(s); 749 750 if (c->socket.timedout || c->socket.error != 0) { 751 quiet = 1; 752 753 } else if (c->socket.closed && !(mode & SSL_RECEIVED_SHUTDOWN)) { 754 quiet = 1; 755 756 } else { 757 quiet = 0; 758 } 759 760 SSL_set_quiet_shutdown(s, quiet); 761 762 once = 1; 763 764 for ( ;; ) { 765 SSL_set_shutdown(s, mode); 766 767 ret = SSL_shutdown(s); 768 769 err = (ret <= 0) ? nxt_socket_errno : 0; 770 771 nxt_debug(task, "SSL_shutdown(%d, %d, %b): %d err:%d", 772 c->socket.fd, mode, quiet, ret, err); 773 774 if (ret > 0) { 775 /* ret == 1, the shutdown was successfully completed. */ 776 handler = c->write_state->ready_handler; 777 goto done; 778 } 779 780 if (ret == 0) { 781 /* 782 * If SSL_shutdown() returns 0 then it should be called 783 * again. The second SSL_shutdown() call should return 784 * -1/SSL_ERROR_WANT_READ or -1/SSL_ERROR_WANT_WRITE. 785 * OpenSSL prior to 0.9.8m version however never returns 786 * -1 at all. Fortunately, OpenSSL preserves internally 787 * correct status available via SSL_get_error(-1). 788 */ 789 if (once) { 790 once = 0; 791 mode = SSL_get_shutdown(s); 792 continue; 793 } 794 795 ret = -1; 796 } 797 798 /* ret == -1 */ 799 800 break; 801 } 802 803 c->socket.read_handler = nxt_openssl_conn_io_shutdown; 804 c->socket.write_handler = nxt_openssl_conn_io_shutdown; 805 c->socket.error_handler = c->write_state->error_handler; 806 807 n = nxt_openssl_conn_test_error(task, c, ret, err, NXT_OPENSSL_SHUTDOWN); 808 809 switch (n) { 810 811 case 0: 812 handler = c->write_state->close_handler; 813 break; 814 815 case NXT_AGAIN: 816 nxt_timer_add(task->thread->engine, &c->read_timer, 5000); 817 return; 818 819 default: 820 case NXT_ERROR: 821 nxt_openssl_conn_error(task, err, "SSL_shutdown(%d) failed", 822 c->socket.fd); 823 handler = c->write_state->error_handler; 824 } 825 826 done: 827 828 nxt_openssl_conn_free(task, c); 829 830 nxt_work_queue_add(c->write_work_queue, handler, task, c, data); 831 } 832 833 834 static nxt_int_t 835 nxt_openssl_conn_test_error(nxt_task_t *task, nxt_conn_t *c, int ret, 836 nxt_err_t sys_err, nxt_openssl_io_t io) 837 { 838 u_long lib_err; 839 nxt_openssl_conn_t *tls; 840 841 tls = c->u.tls; 842 843 tls->ssl_error = SSL_get_error(tls->session, ret); 844 845 nxt_debug(task, "SSL_get_error(): %d", tls->ssl_error); 846 847 switch (tls->ssl_error) { 848 849 case SSL_ERROR_WANT_READ: 850 c->socket.read_ready = 0; 851 852 if (io != NXT_OPENSSL_READ) { 853 nxt_fd_event_block_write(task->thread->engine, &c->socket); 854 855 if (nxt_fd_event_is_disabled(c->socket.read)) { 856 nxt_fd_event_enable_read(task->thread->engine, &c->socket); 857 } 858 } 859 860 return NXT_AGAIN; 861 862 case SSL_ERROR_WANT_WRITE: 863 c->socket.write_ready = 0; 864 865 if (io != NXT_OPENSSL_WRITE) { 866 nxt_fd_event_block_read(task->thread->engine, &c->socket); 867 868 if (nxt_fd_event_is_disabled(c->socket.write)) { 869 nxt_fd_event_enable_write(task->thread->engine, &c->socket); 870 } 871 } 872 873 return NXT_AGAIN; 874 875 case SSL_ERROR_SYSCALL: 876 lib_err = ERR_peek_error(); 877 878 nxt_debug(task, "ERR_peek_error(): %l", lib_err); 879 880 if (sys_err != 0 || lib_err != 0) { 881 c->socket.error = sys_err; 882 return NXT_ERROR; 883 } 884 885 /* A connection was just closed. */ 886 c->socket.closed = 1; 887 return 0; 888 889 case SSL_ERROR_ZERO_RETURN: 890 /* A "close notify" alert. */ 891 return 0; 892 893 default: /* SSL_ERROR_SSL, etc. */ 894 c->socket.error = 1000; /* Nonexistent errno code. */ 895 return NXT_ERROR; 896 } 897 } 898 899 900 static void nxt_cdecl 901 nxt_openssl_conn_error(nxt_task_t *task, nxt_err_t err, const char *fmt, ...) 902 { 903 u_char *p, *end; 904 va_list args; 905 nxt_uint_t level; 906 u_char msg[NXT_MAX_ERROR_STR]; 907 908 level = nxt_openssl_log_error_level(err); 909 910 if (nxt_log_level_enough(task->log, level)) { 911 912 end = msg + sizeof(msg); 913 914 va_start(args, fmt); 915 p = nxt_vsprintf(msg, end, fmt, args); 916 va_end(args); 917 918 if (err != 0) { 919 p = nxt_sprintf(p, end, " %E", err); 920 } 921 922 p = nxt_openssl_copy_error(p, end); 923 924 nxt_log(task, level, "%*s", p - msg, msg); 925 926 } else { 927 ERR_clear_error(); 928 } 929 } 930 931 932 static nxt_uint_t 933 nxt_openssl_log_error_level(nxt_err_t err) 934 { 935 switch (ERR_GET_REASON(ERR_peek_error())) { 936 937 case 0: 938 return nxt_socket_error_level(err); 939 940 case SSL_R_BAD_CHANGE_CIPHER_SPEC: /* 103 */ 941 case SSL_R_BLOCK_CIPHER_PAD_IS_WRONG: /* 129 */ 942 case SSL_R_DIGEST_CHECK_FAILED: /* 149 */ 943 case SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST: /* 151 */ 944 case SSL_R_EXCESSIVE_MESSAGE_SIZE: /* 152 */ 945 case SSL_R_LENGTH_MISMATCH: /* 159 */ 946 #ifdef SSL_R_NO_CIPHERS_PASSED 947 case SSL_R_NO_CIPHERS_PASSED: /* 182 */ 948 #endif 949 case SSL_R_NO_CIPHERS_SPECIFIED: /* 183 */ 950 case SSL_R_NO_COMPRESSION_SPECIFIED: /* 187 */ 951 case SSL_R_NO_SHARED_CIPHER: /* 193 */ 952 case SSL_R_RECORD_LENGTH_MISMATCH: /* 213 */ 953 #ifdef SSL_R_PARSE_TLSEXT 954 case SSL_R_PARSE_TLSEXT: /* 227 */ 955 #endif 956 case SSL_R_UNEXPECTED_MESSAGE: /* 244 */ 957 case SSL_R_UNEXPECTED_RECORD: /* 245 */ 958 case SSL_R_UNKNOWN_ALERT_TYPE: /* 246 */ 959 case SSL_R_UNKNOWN_PROTOCOL: /* 252 */ 960 case SSL_R_WRONG_VERSION_NUMBER: /* 267 */ 961 case SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC: /* 281 */ 962 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG 963 case SSL_R_RENEGOTIATE_EXT_TOO_LONG: /* 335 */ 964 case SSL_R_RENEGOTIATION_ENCODING_ERR: /* 336 */ 965 case SSL_R_RENEGOTIATION_MISMATCH: /* 337 */ 966 #endif 967 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 968 case SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED: /* 338 */ 969 #endif 970 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 971 case SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING: /* 345 */ 972 #endif 973 case 1000:/* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ 974 case SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE: /* 1010 */ 975 case SSL_R_SSLV3_ALERT_BAD_RECORD_MAC: /* 1020 */ 976 case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED: /* 1021 */ 977 case SSL_R_TLSV1_ALERT_RECORD_OVERFLOW: /* 1022 */ 978 case SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE: /* 1030 */ 979 case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE: /* 1040 */ 980 case SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER: /* 1047 */ 981 break; 982 983 case SSL_R_SSLV3_ALERT_NO_CERTIFICATE: /* 1041 */ 984 case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE: /* 1042 */ 985 case SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE: /* 1043 */ 986 case SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED: /* 1044 */ 987 case SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED: /* 1045 */ 988 case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN: /* 1046 */ 989 case SSL_R_TLSV1_ALERT_UNKNOWN_CA: /* 1048 */ 990 case SSL_R_TLSV1_ALERT_ACCESS_DENIED: /* 1049 */ 991 case SSL_R_TLSV1_ALERT_DECODE_ERROR: /* 1050 */ 992 case SSL_R_TLSV1_ALERT_DECRYPT_ERROR: /* 1051 */ 993 case SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION: /* 1060 */ 994 case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION: /* 1070 */ 995 case SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY: /* 1071 */ 996 case SSL_R_TLSV1_ALERT_INTERNAL_ERROR: /* 1080 */ 997 case SSL_R_TLSV1_ALERT_USER_CANCELLED: /* 1090 */ 998 case SSL_R_TLSV1_ALERT_NO_RENEGOTIATION: /* 1100 */ 999 return NXT_LOG_ERR; 1000 1001 default: 1002 return NXT_LOG_ALERT; 1003 } 1004 1005 return NXT_LOG_INFO; 1006 } 1007 1008 1009 void nxt_cdecl 1010 nxt_openssl_log_error(nxt_task_t *task, nxt_uint_t level, const char *fmt, ...) 1011 { 1012 u_char *p, *end; 1013 va_list args; 1014 u_char msg[NXT_MAX_ERROR_STR]; 1015 1016 end = msg + sizeof(msg); 1017 1018 va_start(args, fmt); 1019 p = nxt_vsprintf(msg, end, fmt, args); 1020 va_end(args); 1021 1022 p = nxt_openssl_copy_error(p, end); 1023 1024 nxt_log(task, level, "%*s", p - msg, msg); 1025 } 1026 1027 1028 u_char * 1029 nxt_openssl_copy_error(u_char *p, u_char *end) 1030 { 1031 int flags; 1032 u_long err; 1033 nxt_bool_t clear; 1034 const char *data, *delimiter; 1035 1036 err = ERR_peek_error(); 1037 if (err == 0) { 1038 return p; 1039 } 1040 1041 /* Log the most relevant error message ... */ 1042 data = ERR_reason_error_string(err); 1043 1044 p = nxt_sprintf(p, end, " (%d: %s) (OpenSSL: ", ERR_GET_REASON(err), data); 1045 1046 /* 1047 * ... followed by all queued cumbersome OpenSSL error messages 1048 * and drain the error queue. 1049 */ 1050 delimiter = ""; 1051 clear = 0; 1052 1053 for ( ;; ) { 1054 err = ERR_get_error_line_data(NULL, NULL, &data, &flags); 1055 if (err == 0) { 1056 break; 1057 } 1058 1059 p = nxt_sprintf(p, end, "%s", delimiter); 1060 1061 ERR_error_string_n(err, (char *) p, end - p); 1062 1063 while (p < end && *p != '\0') { 1064 p++; 1065 } 1066 1067 if ((flags & ERR_TXT_STRING) != 0) { 1068 p = nxt_sprintf(p, end, ":%s", data); 1069 } 1070 1071 clear |= ((flags & ERR_TXT_MALLOCED) != 0); 1072 1073 delimiter = "; "; 1074 } 1075 1076 /* Deallocate additional data. */ 1077 1078 if (clear) { 1079 ERR_clear_error(); 1080 } 1081 1082 if (p < end) { 1083 *p++ = ')'; 1084 } 1085 1086 return p; 1087 } 1088