1 2 /* 3 * Copyright (C) Igor Sysoev 4 * Copyright (C) NGINX, Inc. 5 */ 6 7 #include <nxt_main.h> 8 #include <openssl/ssl.h> 9 #include <openssl/conf.h> 10 #include <openssl/err.h> 11 #include <openssl/rand.h> 12 #include <openssl/x509v3.h> 13 14 15 typedef struct { 16 SSL *session; 17 nxt_conn_t *conn; 18 19 int ssl_error; 20 uint8_t times; /* 2 bits */ 21 uint8_t handshake; /* 1 bit */ 22 23 nxt_tls_conf_t *conf; 24 nxt_buf_mem_t buffer; 25 } nxt_openssl_conn_t; 26 27 28 typedef enum { 29 NXT_OPENSSL_HANDSHAKE = 0, 30 NXT_OPENSSL_READ, 31 NXT_OPENSSL_WRITE, 32 NXT_OPENSSL_SHUTDOWN, 33 } nxt_openssl_io_t; 34 35 36 static nxt_int_t nxt_openssl_library_init(nxt_task_t *task); 37 static void nxt_openssl_library_free(nxt_task_t *task); 38 #if OPENSSL_VERSION_NUMBER < 0x10100004L 39 static nxt_int_t nxt_openssl_locks_init(void); 40 static void nxt_openssl_lock(int mode, int type, const char *file, int line); 41 static unsigned long nxt_openssl_thread_id(void); 42 static void nxt_openssl_locks_free(void); 43 #endif 44 static nxt_int_t nxt_openssl_server_init(nxt_task_t *task, 45 nxt_tls_conf_t *conf, nxt_mp_t *mp, nxt_bool_t last); 46 static nxt_int_t nxt_openssl_chain_file(nxt_task_t *task, SSL_CTX *ctx, 47 nxt_tls_conf_t *conf, nxt_mp_t *mp, nxt_bool_t single); 48 static nxt_uint_t nxt_openssl_cert_get_names(nxt_task_t *task, X509 *cert, 49 nxt_tls_conf_t *conf, nxt_mp_t *mp); 50 static nxt_int_t nxt_openssl_bundle_hash_test(nxt_lvlhsh_query_t *lhq, 51 void *data); 52 static nxt_int_t nxt_openssl_bundle_hash_insert(nxt_task_t *task, 53 nxt_lvlhsh_t *lvlhsh, nxt_tls_bundle_hash_item_t *item, nxt_mp_t * mp); 54 static nxt_int_t nxt_openssl_servername(SSL *s, int *ad, void *arg); 55 static nxt_tls_bundle_conf_t *nxt_openssl_find_ctx(nxt_tls_conf_t *conf, 56 nxt_str_t *sn); 57 static void nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf); 58 static void nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf, 59 nxt_conn_t *c); 60 static void nxt_openssl_conn_handshake(nxt_task_t *task, void *obj, void *data); 61 static ssize_t nxt_openssl_conn_io_recvbuf(nxt_conn_t *c, nxt_buf_t *b); 62 static ssize_t nxt_openssl_conn_io_sendbuf(nxt_task_t *task, nxt_sendbuf_t *sb); 63 static ssize_t nxt_openssl_conn_io_send(nxt_task_t *task, nxt_sendbuf_t *sb, 64 void *buf, size_t size); 65 static void nxt_openssl_conn_io_shutdown(nxt_task_t *task, void *obj, 66 void *data); 67 static nxt_int_t nxt_openssl_conn_test_error(nxt_task_t *task, nxt_conn_t *c, 68 int ret, nxt_err_t sys_err, nxt_openssl_io_t io); 69 static void nxt_openssl_conn_io_shutdown_timeout(nxt_task_t *task, void *obj, 70 void *data); 71 static void nxt_cdecl nxt_openssl_conn_error(nxt_task_t *task, 72 nxt_err_t err, const char *fmt, ...); 73 static nxt_uint_t nxt_openssl_log_error_level(nxt_err_t err); 74 75 76 const nxt_tls_lib_t nxt_openssl_lib = { 77 .library_init = nxt_openssl_library_init, 78 .library_free = nxt_openssl_library_free, 79 80 .server_init = nxt_openssl_server_init, 81 .server_free = nxt_openssl_server_free, 82 }; 83 84 85 static nxt_conn_io_t nxt_openssl_conn_io = { 86 .read = nxt_conn_io_read, 87 .recvbuf = nxt_openssl_conn_io_recvbuf, 88 89 .write = nxt_conn_io_write, 90 .sendbuf = nxt_openssl_conn_io_sendbuf, 91 92 .shutdown = nxt_openssl_conn_io_shutdown, 93 }; 94 95 96 static long nxt_openssl_version; 97 static int nxt_openssl_connection_index; 98 99 100 static nxt_int_t 101 nxt_openssl_library_init(nxt_task_t *task) 102 { 103 int index; 104 105 if (nxt_fast_path(nxt_openssl_version != 0)) { 106 return NXT_OK; 107 } 108 109 #if OPENSSL_VERSION_NUMBER >= 0x10100003L 110 111 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); 112 113 #else 114 { 115 nxt_int_t ret; 116 117 SSL_load_error_strings(); 118 119 OPENSSL_config(NULL); 120 121 /* 122 * SSL_library_init(3): 123 * 124 * SSL_library_init() always returns "1", 125 * so it is safe to discard the return value. 126 */ 127 (void) SSL_library_init(); 128 129 ret = nxt_openssl_locks_init(); 130 if (nxt_slow_path(ret != NXT_OK)) { 131 return ret; 132 } 133 } 134 135 #endif 136 137 nxt_openssl_version = SSLeay(); 138 139 nxt_log(task, NXT_LOG_INFO, "%s, %xl", 140 SSLeay_version(SSLEAY_VERSION), nxt_openssl_version); 141 142 #ifndef SSL_OP_NO_COMPRESSION 143 { 144 /* 145 * Disable gzip compression in OpenSSL prior to 1.0.0 146 * version, this saves about 522K per connection. 147 */ 148 int n; 149 STACK_OF(SSL_COMP) *ssl_comp_methods; 150 151 ssl_comp_methods = SSL_COMP_get_compression_methods(); 152 153 for (n = sk_SSL_COMP_num(ssl_comp_methods); n != 0; n--) { 154 (void) sk_SSL_COMP_pop(ssl_comp_methods); 155 } 156 } 157 #endif 158 159 index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); 160 161 if (index == -1) { 162 nxt_openssl_log_error(task, NXT_LOG_ALERT, 163 "SSL_get_ex_new_index() failed"); 164 return NXT_ERROR; 165 } 166 167 nxt_openssl_connection_index = index; 168 169 return NXT_OK; 170 } 171 172 173 #if OPENSSL_VERSION_NUMBER >= 0x10100003L 174 175 static void 176 nxt_openssl_library_free(nxt_task_t *task) 177 { 178 } 179 180 #else 181 182 static nxt_thread_mutex_t *nxt_openssl_locks; 183 184 static nxt_int_t 185 nxt_openssl_locks_init(void) 186 { 187 int i, n; 188 nxt_int_t ret; 189 190 n = CRYPTO_num_locks(); 191 192 nxt_openssl_locks = OPENSSL_malloc(n * sizeof(nxt_thread_mutex_t)); 193 if (nxt_slow_path(nxt_openssl_locks == NULL)) { 194 return NXT_ERROR; 195 } 196 197 for (i = 0; i < n; i++) { 198 ret = nxt_thread_mutex_create(&nxt_openssl_locks[i]); 199 if (nxt_slow_path(ret != NXT_OK)) { 200 return ret; 201 } 202 } 203 204 CRYPTO_set_locking_callback(nxt_openssl_lock); 205 206 CRYPTO_set_id_callback(nxt_openssl_thread_id); 207 208 return NXT_OK; 209 } 210 211 212 static void 213 nxt_openssl_lock(int mode, int type, const char *file, int line) 214 { 215 nxt_thread_mutex_t *lock; 216 217 lock = &nxt_openssl_locks[type]; 218 219 if ((mode & CRYPTO_LOCK) != 0) { 220 (void) nxt_thread_mutex_lock(lock); 221 222 } else { 223 (void) nxt_thread_mutex_unlock(lock); 224 } 225 } 226 227 228 static u_long 229 nxt_openssl_thread_id(void) 230 { 231 return (u_long) nxt_thread_handle(); 232 } 233 234 235 static void 236 nxt_openssl_library_free(nxt_task_t *task) 237 { 238 nxt_openssl_locks_free(); 239 } 240 241 242 static void 243 nxt_openssl_locks_free(void) 244 { 245 int i, n; 246 247 n = CRYPTO_num_locks(); 248 249 CRYPTO_set_locking_callback(NULL); 250 251 for (i = 0; i < n; i++) { 252 nxt_thread_mutex_destroy(&nxt_openssl_locks[i]); 253 } 254 255 OPENSSL_free(nxt_openssl_locks); 256 } 257 258 #endif 259 260 261 static nxt_int_t 262 nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf, 263 nxt_mp_t *mp, nxt_bool_t last) 264 { 265 SSL_CTX *ctx; 266 const char *ciphers, *ca_certificate; 267 STACK_OF(X509_NAME) *list; 268 nxt_tls_bundle_conf_t *bundle; 269 270 ctx = SSL_CTX_new(SSLv23_server_method()); 271 if (ctx == NULL) { 272 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_CTX_new() failed"); 273 return NXT_ERROR; 274 } 275 276 bundle = conf->bundle; 277 nxt_assert(bundle != NULL); 278 279 bundle->ctx = ctx; 280 281 #ifdef SSL_OP_NO_RENEGOTIATION 282 /* Renegration is not currently supported. */ 283 SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION); 284 #endif 285 286 #ifdef SSL_OP_NO_COMPRESSION 287 /* 288 * Disable gzip compression in OpenSSL 1.0.0, 289 * this saves about 522K per connection. 290 */ 291 SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); 292 #endif 293 294 #ifdef SSL_MODE_RELEASE_BUFFERS 295 296 if (nxt_openssl_version >= 10001078) { 297 /* 298 * Allow to release read and write buffers in OpenSSL 1.0.0, 299 * this saves about 34K per idle connection. It is not safe 300 * before OpenSSL 1.0.1h (CVE-2010-5298). 301 */ 302 SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); 303 } 304 305 #endif 306 307 if (nxt_openssl_chain_file(task, ctx, conf, mp, 308 last && bundle->next == NULL) 309 != NXT_OK) 310 { 311 goto fail; 312 } 313 /* 314 key = conf->certificate_key; 315 316 if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) == 0) { 317 nxt_openssl_log_error(task, NXT_LOG_ALERT, 318 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", 319 key); 320 goto fail; 321 } 322 */ 323 ciphers = (conf->ciphers != NULL) ? conf->ciphers : "HIGH:!aNULL:!MD5"; 324 325 if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) { 326 nxt_openssl_log_error(task, NXT_LOG_ALERT, 327 "SSL_CTX_set_cipher_list(\"%s\") failed", 328 ciphers); 329 goto fail; 330 } 331 332 SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 333 334 if (conf->ca_certificate != NULL) { 335 336 /* TODO: verify callback */ 337 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); 338 339 /* TODO: verify depth */ 340 SSL_CTX_set_verify_depth(ctx, 1); 341 342 ca_certificate = conf->ca_certificate; 343 344 if (SSL_CTX_load_verify_locations(ctx, ca_certificate, NULL) == 0) { 345 nxt_openssl_log_error(task, NXT_LOG_ALERT, 346 "SSL_CTX_load_verify_locations(\"%s\") failed", 347 ca_certificate); 348 goto fail; 349 } 350 351 list = SSL_load_client_CA_file(ca_certificate); 352 353 if (list == NULL) { 354 nxt_openssl_log_error(task, NXT_LOG_ALERT, 355 "SSL_load_client_CA_file(\"%s\") failed", 356 ca_certificate); 357 goto fail; 358 } 359 360 /* 361 * SSL_load_client_CA_file() in OpenSSL prior to 0.9.7h and 362 * 0.9.8 versions always leaves an error in the error queue. 363 */ 364 ERR_clear_error(); 365 366 SSL_CTX_set_client_CA_list(ctx, list); 367 } 368 369 if (last) { 370 conf->conn_init = nxt_openssl_conn_init; 371 372 if (bundle->next != NULL) { 373 SSL_CTX_set_tlsext_servername_callback(ctx, nxt_openssl_servername); 374 } 375 } 376 377 return NXT_OK; 378 379 fail: 380 381 SSL_CTX_free(ctx); 382 383 #if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \ 384 && OPENSSL_VERSION_NUMBER < 0x1010101fL) 385 RAND_keep_random_devices_open(0); 386 #endif 387 388 return NXT_ERROR; 389 } 390 391 392 static nxt_int_t 393 nxt_openssl_chain_file(nxt_task_t *task, SSL_CTX *ctx, nxt_tls_conf_t *conf, 394 nxt_mp_t *mp, nxt_bool_t single) 395 { 396 BIO *bio; 397 X509 *cert, *ca; 398 long reason; 399 EVP_PKEY *key; 400 nxt_int_t ret; 401 nxt_tls_bundle_conf_t *bundle; 402 403 ret = NXT_ERROR; 404 cert = NULL; 405 406 bio = BIO_new(BIO_s_fd()); 407 if (bio == NULL) { 408 goto end; 409 } 410 411 bundle = conf->bundle; 412 413 BIO_set_fd(bio, bundle->chain_file, BIO_CLOSE); 414 415 cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); 416 if (cert == NULL) { 417 goto end; 418 } 419 420 if (SSL_CTX_use_certificate(ctx, cert) != 1) { 421 goto end; 422 } 423 424 if (!single && nxt_openssl_cert_get_names(task, cert, conf, mp) != NXT_OK) { 425 goto clean; 426 } 427 428 for ( ;; ) { 429 ca = PEM_read_bio_X509(bio, NULL, NULL, NULL); 430 431 if (ca == NULL) { 432 reason = ERR_GET_REASON(ERR_peek_last_error()); 433 if (reason != PEM_R_NO_START_LINE) { 434 goto end; 435 } 436 437 ERR_clear_error(); 438 break; 439 } 440 441 /* 442 * Note that ca isn't freed if it was successfully added to the chain, 443 * while the main certificate needs a X509_free() call, since 444 * its reference count is increased by SSL_CTX_use_certificate(). 445 */ 446 #ifdef SSL_CTX_add0_chain_cert 447 if (SSL_CTX_add0_chain_cert(ctx, ca) != 1) { 448 #else 449 if (SSL_CTX_add_extra_chain_cert(ctx, ca) != 1) { 450 #endif 451 X509_free(ca); 452 goto end; 453 } 454 } 455 456 if (BIO_reset(bio) != 0) { 457 goto end; 458 } 459 460 key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); 461 if (key == NULL) { 462 goto end; 463 } 464 465 if (SSL_CTX_use_PrivateKey(ctx, key) == 1) { 466 ret = NXT_OK; 467 } 468 469 EVP_PKEY_free(key); 470 471 end: 472 473 if (ret != NXT_OK) { 474 nxt_openssl_log_error(task, NXT_LOG_ALERT, 475 "nxt_openssl_chain_file() failed"); 476 } 477 478 clean: 479 480 BIO_free(bio); 481 X509_free(cert); 482 483 return ret; 484 } 485 486 487 static nxt_uint_t 488 nxt_openssl_cert_get_names(nxt_task_t *task, X509 *cert, nxt_tls_conf_t *conf, 489 nxt_mp_t *mp) 490 { 491 int len; 492 nxt_str_t domain, str; 493 X509_NAME *x509_name; 494 nxt_uint_t i, n; 495 GENERAL_NAME *name; 496 nxt_tls_bundle_conf_t *bundle; 497 STACK_OF(GENERAL_NAME) *alt_names; 498 nxt_tls_bundle_hash_item_t *item; 499 500 bundle = conf->bundle; 501 502 alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); 503 504 if (alt_names != NULL) { 505 n = sk_GENERAL_NAME_num(alt_names); 506 507 for (i = 0; i != n; i++) { 508 name = sk_GENERAL_NAME_value(alt_names, i); 509 510 if (name->type != GEN_DNS) { 511 continue; 512 } 513 514 str.length = ASN1_STRING_length(name->d.dNSName); 515 #if OPENSSL_VERSION_NUMBER > 0x10100000L 516 str.start = (u_char *) ASN1_STRING_get0_data(name->d.dNSName); 517 #else 518 str.start = ASN1_STRING_data(name->d.dNSName); 519 #endif 520 521 domain.start = nxt_mp_nget(mp, str.length); 522 if (nxt_slow_path(domain.start == NULL)) { 523 goto fail; 524 } 525 526 domain.length = str.length; 527 nxt_memcpy_lowcase(domain.start, str.start, str.length); 528 529 item = nxt_mp_get(mp, sizeof(nxt_tls_bundle_hash_item_t)); 530 if (nxt_slow_path(item == NULL)) { 531 goto fail; 532 } 533 534 item->name = domain; 535 item->bundle = bundle; 536 537 if (nxt_openssl_bundle_hash_insert(task, &conf->bundle_hash, 538 item, mp) 539 == NXT_ERROR) 540 { 541 goto fail; 542 } 543 } 544 545 sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free); 546 547 } else { 548 x509_name = X509_get_subject_name(cert); 549 len = X509_NAME_get_text_by_NID(x509_name, NID_commonName, 550 NULL, 0); 551 if (len <= 0) { 552 nxt_log(task, NXT_LOG_WARN, "certificate \"%V\" has neither " 553 "Subject Alternative Name nor Common Name", bundle->name); 554 return NXT_OK; 555 } 556 557 domain.start = nxt_mp_nget(mp, len + 1); 558 if (nxt_slow_path(domain.start == NULL)) { 559 return NXT_ERROR; 560 } 561 562 domain.length = X509_NAME_get_text_by_NID(x509_name, NID_commonName, 563 (char *) domain.start, 564 len + 1); 565 nxt_memcpy_lowcase(domain.start, domain.start, domain.length); 566 567 item = nxt_mp_get(mp, sizeof(nxt_tls_bundle_hash_item_t)); 568 if (nxt_slow_path(item == NULL)) { 569 return NXT_ERROR; 570 } 571 572 item->name = domain; 573 item->bundle = bundle; 574 575 if (nxt_openssl_bundle_hash_insert(task, &conf->bundle_hash, item, 576 mp) 577 == NXT_ERROR) 578 { 579 return NXT_ERROR; 580 } 581 } 582 583 return NXT_OK; 584 585 fail: 586 587 sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free); 588 589 return NXT_ERROR; 590 } 591 592 593 static const nxt_lvlhsh_proto_t nxt_openssl_bundle_hash_proto 594 nxt_aligned(64) = 595 { 596 NXT_LVLHSH_DEFAULT, 597 nxt_openssl_bundle_hash_test, 598 nxt_mp_lvlhsh_alloc, 599 nxt_mp_lvlhsh_free, 600 }; 601 602 603 static nxt_int_t 604 nxt_openssl_bundle_hash_test(nxt_lvlhsh_query_t *lhq, void *data) 605 { 606 nxt_tls_bundle_hash_item_t *item; 607 608 item = data; 609 610 return nxt_strstr_eq(&lhq->key, &item->name) ? NXT_OK : NXT_DECLINED; 611 } 612 613 614 static nxt_int_t 615 nxt_openssl_bundle_hash_insert(nxt_task_t *task, nxt_lvlhsh_t *lvlhsh, 616 nxt_tls_bundle_hash_item_t *item, nxt_mp_t *mp) 617 { 618 nxt_str_t str; 619 nxt_int_t ret; 620 nxt_lvlhsh_query_t lhq; 621 nxt_tls_bundle_hash_item_t *old; 622 623 str = item->name; 624 625 if (item->name.start[0] == '*') { 626 item->name.start++; 627 item->name.length--; 628 629 if (item->name.length == 0 || item->name.start[0] != '.') { 630 nxt_log(task, NXT_LOG_WARN, "ignored invalid name \"%V\" " 631 "in certificate \"%V\": missing \".\" " 632 "after wildcard symbol", &str, item->bundle->name); 633 return NXT_OK; 634 } 635 } 636 637 lhq.pool = mp; 638 lhq.key = item->name; 639 lhq.value = item; 640 lhq.proto = &nxt_openssl_bundle_hash_proto; 641 lhq.replace = 0; 642 lhq.key_hash = nxt_murmur_hash2(item->name.start, item->name.length); 643 644 ret = nxt_lvlhsh_insert(lvlhsh, &lhq); 645 if (nxt_fast_path(ret == NXT_OK)) { 646 nxt_debug(task, "name \"%V\" for certificate \"%V\" is inserted", 647 &str, item->bundle->name); 648 return NXT_OK; 649 } 650 651 if (nxt_fast_path(ret == NXT_DECLINED)) { 652 old = lhq.value; 653 if (old->bundle != item->bundle) { 654 nxt_log(task, NXT_LOG_WARN, "ignored duplicate name \"%V\" " 655 "in certificate \"%V\", identical name appears in \"%V\"", 656 &str, old->bundle->name, item->bundle->name); 657 658 old->bundle = item->bundle; 659 } 660 661 return NXT_OK; 662 } 663 664 return NXT_ERROR; 665 } 666 667 668 static nxt_int_t 669 nxt_openssl_servername(SSL *s, int *ad, void *arg) 670 { 671 nxt_str_t str; 672 nxt_uint_t i; 673 nxt_conn_t *c; 674 const char *servername; 675 nxt_tls_conf_t *conf; 676 nxt_openssl_conn_t *tls; 677 nxt_tls_bundle_conf_t *bundle; 678 679 c = SSL_get_ex_data(s, nxt_openssl_connection_index); 680 681 if (nxt_slow_path(c == NULL)) { 682 nxt_thread_log_alert("SSL_get_ex_data() failed"); 683 return SSL_TLSEXT_ERR_ALERT_FATAL; 684 } 685 686 servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 687 if (nxt_slow_path(servername == NULL)) { 688 nxt_log(c->socket.task, NXT_LOG_ALERT, "SSL_get_servername() returned " 689 "NULL in server name callback"); 690 return SSL_TLSEXT_ERR_ALERT_FATAL; 691 } 692 693 str.length = nxt_strlen(servername); 694 if (str.length == 0) { 695 nxt_debug(c->socket.task, "client sent zero-length server name"); 696 goto done; 697 } 698 699 if (servername[0] == '.') { 700 nxt_debug(c->socket.task, "ignored the server name \"%s\": " 701 "leading \".\"", servername); 702 goto done; 703 } 704 705 nxt_debug(c->socket.task, "tls with servername \"%s\"", servername); 706 707 str.start = nxt_mp_nget(c->mem_pool, str.length); 708 if (nxt_slow_path(str.start == NULL)) { 709 return SSL_TLSEXT_ERR_ALERT_FATAL; 710 } 711 712 nxt_memcpy_lowcase(str.start, (const u_char *) servername, str.length); 713 714 tls = c->u.tls; 715 conf = tls->conf; 716 717 bundle = nxt_openssl_find_ctx(conf, &str); 718 719 if (bundle == NULL) { 720 for (i = 1; i < str.length; i++) { 721 if (str.start[i] == '.') { 722 str.start += i; 723 str.length -= i; 724 725 bundle = nxt_openssl_find_ctx(conf, &str); 726 break; 727 } 728 } 729 } 730 731 if (bundle != NULL) { 732 nxt_debug(c->socket.task, "new tls context found for \"%V\": \"%V\" " 733 "(old: \"%V\")", &str, bundle->name, 734 conf->bundle->name); 735 736 if (bundle != conf->bundle) { 737 if (SSL_set_SSL_CTX(s, bundle->ctx) == NULL) { 738 nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT, 739 "SSL_set_SSL_CTX() failed"); 740 741 return SSL_TLSEXT_ERR_ALERT_FATAL; 742 } 743 } 744 } 745 746 done: 747 748 return SSL_TLSEXT_ERR_OK; 749 } 750 751 752 static nxt_tls_bundle_conf_t * 753 nxt_openssl_find_ctx(nxt_tls_conf_t *conf, nxt_str_t *sn) 754 { 755 nxt_int_t ret; 756 nxt_lvlhsh_query_t lhq; 757 nxt_tls_bundle_hash_item_t *item; 758 759 lhq.key_hash = nxt_murmur_hash2(sn->start, sn->length); 760 lhq.key = *sn; 761 lhq.proto = &nxt_openssl_bundle_hash_proto; 762 763 ret = nxt_lvlhsh_find(&conf->bundle_hash, &lhq); 764 if (ret != NXT_OK) { 765 return NULL; 766 } 767 768 item = lhq.value; 769 770 return item->bundle; 771 } 772 773 774 static void 775 nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf) 776 { 777 nxt_tls_bundle_conf_t *bundle; 778 779 bundle = conf->bundle; 780 nxt_assert(bundle != NULL); 781 782 do { 783 SSL_CTX_free(bundle->ctx); 784 bundle = bundle->next; 785 } while (bundle != NULL); 786 787 #if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \ 788 && OPENSSL_VERSION_NUMBER < 0x1010101fL) 789 RAND_keep_random_devices_open(0); 790 #endif 791 } 792 793 794 static void 795 nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf, nxt_conn_t *c) 796 { 797 int ret; 798 SSL *s; 799 SSL_CTX *ctx; 800 nxt_openssl_conn_t *tls; 801 802 nxt_log_debug(c->socket.log, "openssl conn init"); 803 804 tls = nxt_mp_zget(c->mem_pool, sizeof(nxt_openssl_conn_t)); 805 if (tls == NULL) { 806 goto fail; 807 } 808 809 c->u.tls = tls; 810 nxt_buf_mem_set_size(&tls->buffer, conf->buffer_size); 811 812 ctx = conf->bundle->ctx; 813 814 s = SSL_new(ctx); 815 if (s == NULL) { 816 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_new() failed"); 817 goto fail; 818 } 819 820 tls->session = s; 821 /* To pass TLS config to the nxt_openssl_servername() callback. */ 822 tls->conf = conf; 823 tls->conn = c; 824 825 ret = SSL_set_fd(s, c->socket.fd); 826 827 if (ret == 0) { 828 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_fd(%d) failed", 829 c->socket.fd); 830 goto fail; 831 } 832 833 SSL_set_accept_state(s); 834 835 if (SSL_set_ex_data(s, nxt_openssl_connection_index, c) == 0) { 836 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_ex_data() failed"); 837 goto fail; 838 } 839 840 c->io = &nxt_openssl_conn_io; 841 c->sendfile = NXT_CONN_SENDFILE_OFF; 842 843 nxt_openssl_conn_handshake(task, c, c->socket.data); 844 845 return; 846 847 fail: 848 849 nxt_work_queue_add(c->read_work_queue, c->read_state->error_handler, 850 task, c, c->socket.data); 851 } 852 853 854 nxt_inline void 855 nxt_openssl_conn_free(nxt_task_t *task, nxt_conn_t *c) 856 { 857 nxt_openssl_conn_t *tls; 858 859 nxt_debug(task, "openssl conn free"); 860 861 tls = c->u.tls; 862 863 if (tls != NULL) { 864 c->u.tls = NULL; 865 nxt_free(tls->buffer.start); 866 SSL_free(tls->session); 867 } 868 } 869 870 871 static void 872 nxt_openssl_conn_handshake(nxt_task_t *task, void *obj, void *data) 873 { 874 int ret; 875 nxt_int_t n; 876 nxt_err_t err; 877 nxt_conn_t *c; 878 nxt_work_queue_t *wq; 879 nxt_work_handler_t handler; 880 nxt_openssl_conn_t *tls; 881 const nxt_conn_state_t *state; 882 883 c = obj; 884 885 nxt_debug(task, "openssl conn handshake fd:%d", c->socket.fd); 886 887 if (c->socket.error != 0) { 888 return; 889 } 890 891 tls = c->u.tls; 892 893 if (tls == NULL) { 894 return; 895 } 896 897 nxt_debug(task, "openssl conn handshake: %d times", tls->times); 898 899 /* "tls->times == 1" is suitable to run SSL_do_handshake() in job. */ 900 901 ret = SSL_do_handshake(tls->session); 902 903 err = (ret <= 0) ? nxt_socket_errno : 0; 904 905 nxt_thread_time_debug_update(task->thread); 906 907 nxt_debug(task, "SSL_do_handshake(%d): %d err:%d", c->socket.fd, ret, err); 908 909 state = (c->read_state != NULL) ? c->read_state : c->write_state; 910 911 if (ret > 0) { 912 /* ret == 1, the handshake was successfully completed. */ 913 tls->handshake = 1; 914 915 if (c->read_state != NULL) { 916 if (state->io_read_handler != NULL || c->read != NULL) { 917 nxt_conn_read(task->thread->engine, c); 918 return; 919 } 920 921 } else { 922 if (c->write != NULL) { 923 nxt_conn_write(task->thread->engine, c); 924 return; 925 } 926 } 927 928 handler = state->ready_handler; 929 930 } else { 931 c->socket.read_handler = nxt_openssl_conn_handshake; 932 c->socket.write_handler = nxt_openssl_conn_handshake; 933 934 n = nxt_openssl_conn_test_error(task, c, ret, err, 935 NXT_OPENSSL_HANDSHAKE); 936 switch (n) { 937 938 case NXT_AGAIN: 939 if (tls->ssl_error == SSL_ERROR_WANT_READ && tls->times < 2) { 940 tls->times++; 941 } 942 943 return; 944 945 case 0: 946 handler = state->close_handler; 947 break; 948 949 default: 950 case NXT_ERROR: 951 nxt_openssl_conn_error(task, err, "SSL_do_handshake(%d) failed", 952 c->socket.fd); 953 954 handler = state->error_handler; 955 break; 956 } 957 } 958 959 wq = (c->read_state != NULL) ? c->read_work_queue : c->write_work_queue; 960 961 nxt_work_queue_add(wq, handler, task, c, data); 962 } 963 964 965 static ssize_t 966 nxt_openssl_conn_io_recvbuf(nxt_conn_t *c, nxt_buf_t *b) 967 { 968 int ret; 969 size_t size; 970 nxt_int_t n; 971 nxt_err_t err; 972 nxt_openssl_conn_t *tls; 973 974 tls = c->u.tls; 975 size = b->mem.end - b->mem.free; 976 977 ret = SSL_read(tls->session, b->mem.free, size); 978 979 err = (ret <= 0) ? nxt_socket_errno : 0; 980 981 nxt_debug(c->socket.task, "SSL_read(%d, %p, %uz): %d err:%d", 982 c->socket.fd, b->mem.free, size, ret, err); 983 984 if (ret > 0) { 985 return ret; 986 } 987 988 n = nxt_openssl_conn_test_error(c->socket.task, c, ret, err, 989 NXT_OPENSSL_READ); 990 if (n == NXT_ERROR) { 991 nxt_openssl_conn_error(c->socket.task, err, 992 "SSL_read(%d, %p, %uz) failed", 993 c->socket.fd, b->mem.free, size); 994 } 995 996 return n; 997 } 998 999 1000 static ssize_t 1001 nxt_openssl_conn_io_sendbuf(nxt_task_t *task, nxt_sendbuf_t *sb) 1002 { 1003 nxt_uint_t niov; 1004 struct iovec iov; 1005 1006 niov = nxt_sendbuf_mem_coalesce0(task, sb, &iov, 1); 1007 1008 if (niov == 0 && sb->sync) { 1009 return 0; 1010 } 1011 1012 return nxt_openssl_conn_io_send(task, sb, iov.iov_base, iov.iov_len); 1013 } 1014 1015 1016 static ssize_t 1017 nxt_openssl_conn_io_send(nxt_task_t *task, nxt_sendbuf_t *sb, void *buf, 1018 size_t size) 1019 { 1020 int ret; 1021 nxt_err_t err; 1022 nxt_int_t n; 1023 nxt_conn_t *c; 1024 nxt_openssl_conn_t *tls; 1025 1026 tls = sb->tls; 1027 1028 ret = SSL_write(tls->session, buf, size); 1029 1030 err = (ret <= 0) ? nxt_socket_errno : 0; 1031 1032 nxt_debug(task, "SSL_write(%d, %p, %uz): %d err:%d", 1033 sb->socket, buf, size, ret, err); 1034 1035 if (ret > 0) { 1036 return ret; 1037 } 1038 1039 c = tls->conn; 1040 c->socket.write_ready = sb->ready; 1041 1042 n = nxt_openssl_conn_test_error(task, c, ret, err, NXT_OPENSSL_WRITE); 1043 1044 sb->ready = c->socket.write_ready; 1045 1046 if (n == NXT_ERROR) { 1047 sb->error = c->socket.error; 1048 nxt_openssl_conn_error(task, err, "SSL_write(%d, %p, %uz) failed", 1049 sb->socket, buf, size); 1050 } 1051 1052 return n; 1053 } 1054 1055 1056 static void 1057 nxt_openssl_conn_io_shutdown(nxt_task_t *task, void *obj, void *data) 1058 { 1059 int ret, mode; 1060 SSL *s; 1061 nxt_err_t err; 1062 nxt_int_t n; 1063 nxt_bool_t quiet, once; 1064 nxt_conn_t *c; 1065 nxt_openssl_conn_t *tls; 1066 nxt_work_handler_t handler; 1067 1068 c = obj; 1069 1070 nxt_debug(task, "openssl conn shutdown fd:%d", c->socket.fd); 1071 1072 c->read_state = NULL; 1073 tls = c->u.tls; 1074 1075 if (tls == NULL) { 1076 return; 1077 } 1078 1079 s = tls->session; 1080 1081 if (s == NULL || !tls->handshake) { 1082 handler = c->write_state->ready_handler; 1083 goto done; 1084 } 1085 1086 mode = SSL_get_shutdown(s); 1087 1088 if (c->socket.timedout || c->socket.error != 0) { 1089 quiet = 1; 1090 1091 } else if (c->socket.closed && !(mode & SSL_RECEIVED_SHUTDOWN)) { 1092 quiet = 1; 1093 1094 } else { 1095 quiet = 0; 1096 } 1097 1098 SSL_set_quiet_shutdown(s, quiet); 1099 1100 if (tls->conf->no_wait_shutdown) { 1101 mode |= SSL_RECEIVED_SHUTDOWN; 1102 } 1103 1104 once = 1; 1105 1106 for ( ;; ) { 1107 SSL_set_shutdown(s, mode); 1108 1109 ret = SSL_shutdown(s); 1110 1111 err = (ret <= 0) ? nxt_socket_errno : 0; 1112 1113 nxt_debug(task, "SSL_shutdown(%d, %d, %b): %d err:%d", 1114 c->socket.fd, mode, quiet, ret, err); 1115 1116 if (ret > 0) { 1117 /* ret == 1, the shutdown was successfully completed. */ 1118 handler = c->write_state->ready_handler; 1119 goto done; 1120 } 1121 1122 if (ret == 0) { 1123 /* 1124 * If SSL_shutdown() returns 0 then it should be called 1125 * again. The second SSL_shutdown() call should return 1126 * -1/SSL_ERROR_WANT_READ or -1/SSL_ERROR_WANT_WRITE. 1127 * OpenSSL prior to 0.9.8m version however never returns 1128 * -1 at all. Fortunately, OpenSSL preserves internally 1129 * correct status available via SSL_get_error(-1). 1130 */ 1131 if (once) { 1132 once = 0; 1133 mode = SSL_get_shutdown(s); 1134 continue; 1135 } 1136 1137 ret = -1; 1138 } 1139 1140 /* ret == -1 */ 1141 1142 break; 1143 } 1144 1145 c->socket.read_handler = nxt_openssl_conn_io_shutdown; 1146 c->socket.write_handler = nxt_openssl_conn_io_shutdown; 1147 c->socket.error_handler = c->write_state->error_handler; 1148 1149 n = nxt_openssl_conn_test_error(task, c, ret, err, NXT_OPENSSL_SHUTDOWN); 1150 1151 switch (n) { 1152 1153 case 0: 1154 handler = c->write_state->close_handler; 1155 break; 1156 1157 case NXT_AGAIN: 1158 c->write_timer.handler = nxt_openssl_conn_io_shutdown_timeout; 1159 nxt_timer_add(task->thread->engine, &c->write_timer, 5000); 1160 return; 1161 1162 default: 1163 case NXT_ERROR: 1164 nxt_openssl_conn_error(task, err, "SSL_shutdown(%d) failed", 1165 c->socket.fd); 1166 handler = c->write_state->error_handler; 1167 } 1168 1169 done: 1170 1171 nxt_openssl_conn_free(task, c); 1172 1173 nxt_work_queue_add(c->write_work_queue, handler, task, c, data); 1174 } 1175 1176 1177 static nxt_int_t 1178 nxt_openssl_conn_test_error(nxt_task_t *task, nxt_conn_t *c, int ret, 1179 nxt_err_t sys_err, nxt_openssl_io_t io) 1180 { 1181 u_long lib_err; 1182 nxt_openssl_conn_t *tls; 1183 1184 tls = c->u.tls; 1185 1186 tls->ssl_error = SSL_get_error(tls->session, ret); 1187 1188 nxt_debug(task, "SSL_get_error(): %d", tls->ssl_error); 1189 1190 switch (tls->ssl_error) { 1191 1192 case SSL_ERROR_WANT_READ: 1193 c->socket.read_ready = 0; 1194 1195 if (io != NXT_OPENSSL_READ) { 1196 nxt_fd_event_block_write(task->thread->engine, &c->socket); 1197 1198 if (nxt_fd_event_is_disabled(c->socket.read)) { 1199 nxt_fd_event_enable_read(task->thread->engine, &c->socket); 1200 } 1201 } 1202 1203 return NXT_AGAIN; 1204 1205 case SSL_ERROR_WANT_WRITE: 1206 c->socket.write_ready = 0; 1207 1208 if (io != NXT_OPENSSL_WRITE) { 1209 nxt_fd_event_block_read(task->thread->engine, &c->socket); 1210 1211 if (nxt_fd_event_is_disabled(c->socket.write)) { 1212 nxt_fd_event_enable_write(task->thread->engine, &c->socket); 1213 } 1214 } 1215 1216 return NXT_AGAIN; 1217 1218 case SSL_ERROR_SYSCALL: 1219 lib_err = ERR_peek_error(); 1220 1221 nxt_debug(task, "ERR_peek_error(): %l", lib_err); 1222 1223 if (sys_err != 0 || lib_err != 0) { 1224 c->socket.error = sys_err; 1225 return NXT_ERROR; 1226 } 1227 1228 /* A connection was just closed. */ 1229 c->socket.closed = 1; 1230 return 0; 1231 1232 case SSL_ERROR_ZERO_RETURN: 1233 /* A "close notify" alert. */ 1234 return 0; 1235 1236 default: /* SSL_ERROR_SSL, etc. */ 1237 c->socket.error = 1000; /* Nonexistent errno code. */ 1238 return NXT_ERROR; 1239 } 1240 } 1241 1242 1243 static void 1244 nxt_openssl_conn_io_shutdown_timeout(nxt_task_t *task, void *obj, void *data) 1245 { 1246 nxt_conn_t *c; 1247 nxt_timer_t *timer; 1248 1249 timer = obj; 1250 1251 nxt_debug(task, "openssl conn shutdown timeout"); 1252 1253 c = nxt_write_timer_conn(timer); 1254 1255 c->socket.timedout = 1; 1256 nxt_openssl_conn_io_shutdown(task, c, NULL); 1257 } 1258 1259 1260 static void nxt_cdecl 1261 nxt_openssl_conn_error(nxt_task_t *task, nxt_err_t err, const char *fmt, ...) 1262 { 1263 u_char *p, *end; 1264 va_list args; 1265 nxt_uint_t level; 1266 u_char msg[NXT_MAX_ERROR_STR]; 1267 1268 level = nxt_openssl_log_error_level(err); 1269 1270 if (nxt_log_level_enough(task->log, level)) { 1271 1272 end = msg + sizeof(msg); 1273 1274 va_start(args, fmt); 1275 p = nxt_vsprintf(msg, end, fmt, args); 1276 va_end(args); 1277 1278 if (err != 0) { 1279 p = nxt_sprintf(p, end, " %E", err); 1280 } 1281 1282 p = nxt_openssl_copy_error(p, end); 1283 1284 nxt_log(task, level, "%*s", p - msg, msg); 1285 1286 } else { 1287 ERR_clear_error(); 1288 } 1289 } 1290 1291 1292 static nxt_uint_t 1293 nxt_openssl_log_error_level(nxt_err_t err) 1294 { 1295 switch (ERR_GET_REASON(ERR_peek_error())) { 1296 1297 case 0: 1298 return nxt_socket_error_level(err); 1299 1300 case SSL_R_BAD_CHANGE_CIPHER_SPEC: /* 103 */ 1301 case SSL_R_BLOCK_CIPHER_PAD_IS_WRONG: /* 129 */ 1302 case SSL_R_DIGEST_CHECK_FAILED: /* 149 */ 1303 case SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST: /* 151 */ 1304 case SSL_R_EXCESSIVE_MESSAGE_SIZE: /* 152 */ 1305 case SSL_R_LENGTH_MISMATCH: /* 159 */ 1306 #ifdef SSL_R_NO_CIPHERS_PASSED 1307 case SSL_R_NO_CIPHERS_PASSED: /* 182 */ 1308 #endif 1309 case SSL_R_NO_CIPHERS_SPECIFIED: /* 183 */ 1310 case SSL_R_NO_COMPRESSION_SPECIFIED: /* 187 */ 1311 case SSL_R_NO_SHARED_CIPHER: /* 193 */ 1312 case SSL_R_RECORD_LENGTH_MISMATCH: /* 213 */ 1313 #ifdef SSL_R_PARSE_TLSEXT 1314 case SSL_R_PARSE_TLSEXT: /* 227 */ 1315 #endif 1316 case SSL_R_UNEXPECTED_MESSAGE: /* 244 */ 1317 case SSL_R_UNEXPECTED_RECORD: /* 245 */ 1318 case SSL_R_UNKNOWN_ALERT_TYPE: /* 246 */ 1319 case SSL_R_UNKNOWN_PROTOCOL: /* 252 */ 1320 case SSL_R_WRONG_VERSION_NUMBER: /* 267 */ 1321 case SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC: /* 281 */ 1322 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG 1323 case SSL_R_RENEGOTIATE_EXT_TOO_LONG: /* 335 */ 1324 case SSL_R_RENEGOTIATION_ENCODING_ERR: /* 336 */ 1325 case SSL_R_RENEGOTIATION_MISMATCH: /* 337 */ 1326 #endif 1327 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 1328 case SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED: /* 338 */ 1329 #endif 1330 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 1331 case SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING: /* 345 */ 1332 #endif 1333 case 1000:/* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ 1334 case SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE: /* 1010 */ 1335 case SSL_R_SSLV3_ALERT_BAD_RECORD_MAC: /* 1020 */ 1336 case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED: /* 1021 */ 1337 case SSL_R_TLSV1_ALERT_RECORD_OVERFLOW: /* 1022 */ 1338 case SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE: /* 1030 */ 1339 case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE: /* 1040 */ 1340 case SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER: /* 1047 */ 1341 break; 1342 1343 case SSL_R_SSLV3_ALERT_NO_CERTIFICATE: /* 1041 */ 1344 case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE: /* 1042 */ 1345 case SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE: /* 1043 */ 1346 case SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED: /* 1044 */ 1347 case SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED: /* 1045 */ 1348 case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN: /* 1046 */ 1349 case SSL_R_TLSV1_ALERT_UNKNOWN_CA: /* 1048 */ 1350 case SSL_R_TLSV1_ALERT_ACCESS_DENIED: /* 1049 */ 1351 case SSL_R_TLSV1_ALERT_DECODE_ERROR: /* 1050 */ 1352 case SSL_R_TLSV1_ALERT_DECRYPT_ERROR: /* 1051 */ 1353 case SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION: /* 1060 */ 1354 case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION: /* 1070 */ 1355 case SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY: /* 1071 */ 1356 case SSL_R_TLSV1_ALERT_INTERNAL_ERROR: /* 1080 */ 1357 case SSL_R_TLSV1_ALERT_USER_CANCELLED: /* 1090 */ 1358 case SSL_R_TLSV1_ALERT_NO_RENEGOTIATION: /* 1100 */ 1359 return NXT_LOG_ERR; 1360 1361 default: 1362 return NXT_LOG_ALERT; 1363 } 1364 1365 return NXT_LOG_INFO; 1366 } 1367 1368 1369 void nxt_cdecl 1370 nxt_openssl_log_error(nxt_task_t *task, nxt_uint_t level, const char *fmt, ...) 1371 { 1372 u_char *p, *end; 1373 va_list args; 1374 u_char msg[NXT_MAX_ERROR_STR]; 1375 1376 end = msg + sizeof(msg); 1377 1378 va_start(args, fmt); 1379 p = nxt_vsprintf(msg, end, fmt, args); 1380 va_end(args); 1381 1382 p = nxt_openssl_copy_error(p, end); 1383 1384 nxt_log(task, level, "%*s", p - msg, msg); 1385 } 1386 1387 1388 u_char * 1389 nxt_openssl_copy_error(u_char *p, u_char *end) 1390 { 1391 int flags; 1392 u_long err; 1393 nxt_bool_t clear; 1394 const char *data, *delimiter; 1395 1396 err = ERR_peek_error(); 1397 if (err == 0) { 1398 return p; 1399 } 1400 1401 /* Log the most relevant error message ... */ 1402 data = ERR_reason_error_string(err); 1403 1404 p = nxt_sprintf(p, end, " (%d: %s) (OpenSSL: ", ERR_GET_REASON(err), data); 1405 1406 /* 1407 * ... followed by all queued cumbersome OpenSSL error messages 1408 * and drain the error queue. 1409 */ 1410 delimiter = ""; 1411 clear = 0; 1412 1413 for ( ;; ) { 1414 err = ERR_get_error_line_data(NULL, NULL, &data, &flags); 1415 if (err == 0) { 1416 break; 1417 } 1418 1419 p = nxt_sprintf(p, end, "%s", delimiter); 1420 1421 ERR_error_string_n(err, (char *) p, end - p); 1422 1423 while (p < end && *p != '\0') { 1424 p++; 1425 } 1426 1427 if ((flags & ERR_TXT_STRING) != 0) { 1428 p = nxt_sprintf(p, end, ":%s", data); 1429 } 1430 1431 clear |= ((flags & ERR_TXT_MALLOCED) != 0); 1432 1433 delimiter = "; "; 1434 } 1435 1436 /* Deallocate additional data. */ 1437 1438 if (clear) { 1439 ERR_clear_error(); 1440 } 1441 1442 if (p < end) { 1443 *p++ = ')'; 1444 } 1445 1446 return p; 1447 } 1448