1 2 /* 3 * Copyright (C) Igor Sysoev 4 * Copyright (C) NGINX, Inc. 5 */ 6 7 #include <nxt_main.h> 8 #include <nxt_conf.h> 9 #include <openssl/ssl.h> 10 #include <openssl/conf.h> 11 #include <openssl/err.h> 12 #include <openssl/rand.h> 13 #include <openssl/x509v3.h> 14 15 16 typedef struct { 17 SSL *session; 18 nxt_conn_t *conn; 19 20 int ssl_error; 21 uint8_t times; /* 2 bits */ 22 uint8_t handshake; /* 1 bit */ 23 24 nxt_tls_conf_t *conf; 25 nxt_buf_mem_t buffer; 26 } nxt_openssl_conn_t; 27 28 29 typedef enum { 30 NXT_OPENSSL_HANDSHAKE = 0, 31 NXT_OPENSSL_READ, 32 NXT_OPENSSL_WRITE, 33 NXT_OPENSSL_SHUTDOWN, 34 } nxt_openssl_io_t; 35 36 37 static nxt_int_t nxt_openssl_library_init(nxt_task_t *task); 38 static void nxt_openssl_library_free(nxt_task_t *task); 39 #if OPENSSL_VERSION_NUMBER < 0x10100004L 40 static nxt_int_t nxt_openssl_locks_init(void); 41 static void nxt_openssl_lock(int mode, int type, const char *file, int line); 42 static unsigned long nxt_openssl_thread_id(void); 43 static void nxt_openssl_locks_free(void); 44 #endif 45 static nxt_int_t nxt_openssl_server_init(nxt_task_t *task, nxt_mp_t *mp, 46 nxt_tls_init_t *tls_init, nxt_bool_t last); 47 static nxt_int_t nxt_openssl_chain_file(nxt_task_t *task, SSL_CTX *ctx, 48 nxt_tls_conf_t *conf, nxt_mp_t *mp, nxt_bool_t single); 49 #if (NXT_HAVE_OPENSSL_CONF_CMD) 50 static nxt_int_t nxt_ssl_conf_commands(nxt_task_t *task, SSL_CTX *ctx, 51 nxt_conf_value_t *value, nxt_mp_t *mp); 52 #endif 53 static void nxt_ssl_session_cache(SSL_CTX *ctx, size_t cache_size, 54 time_t timeout); 55 static nxt_uint_t nxt_openssl_cert_get_names(nxt_task_t *task, X509 *cert, 56 nxt_tls_conf_t *conf, nxt_mp_t *mp); 57 static nxt_int_t nxt_openssl_bundle_hash_test(nxt_lvlhsh_query_t *lhq, 58 void *data); 59 static nxt_int_t nxt_openssl_bundle_hash_insert(nxt_task_t *task, 60 nxt_lvlhsh_t *lvlhsh, nxt_tls_bundle_hash_item_t *item, nxt_mp_t * mp); 61 static nxt_int_t nxt_openssl_servername(SSL *s, int *ad, void *arg); 62 static nxt_tls_bundle_conf_t *nxt_openssl_find_ctx(nxt_tls_conf_t *conf, 63 nxt_str_t *sn); 64 static void nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf); 65 static void nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf, 66 nxt_conn_t *c); 67 static void nxt_openssl_conn_handshake(nxt_task_t *task, void *obj, void *data); 68 static ssize_t nxt_openssl_conn_io_recvbuf(nxt_conn_t *c, nxt_buf_t *b); 69 static ssize_t nxt_openssl_conn_io_sendbuf(nxt_task_t *task, nxt_sendbuf_t *sb); 70 static ssize_t nxt_openssl_conn_io_send(nxt_task_t *task, nxt_sendbuf_t *sb, 71 void *buf, size_t size); 72 static void nxt_openssl_conn_io_shutdown(nxt_task_t *task, void *obj, 73 void *data); 74 static nxt_int_t nxt_openssl_conn_test_error(nxt_task_t *task, nxt_conn_t *c, 75 int ret, nxt_err_t sys_err, nxt_openssl_io_t io); 76 static void nxt_openssl_conn_io_shutdown_timeout(nxt_task_t *task, void *obj, 77 void *data); 78 static void nxt_cdecl nxt_openssl_conn_error(nxt_task_t *task, 79 nxt_err_t err, const char *fmt, ...); 80 static nxt_uint_t nxt_openssl_log_error_level(nxt_err_t err); 81 82 83 const nxt_tls_lib_t nxt_openssl_lib = { 84 .library_init = nxt_openssl_library_init, 85 .library_free = nxt_openssl_library_free, 86 87 .server_init = nxt_openssl_server_init, 88 .server_free = nxt_openssl_server_free, 89 }; 90 91 92 static nxt_conn_io_t nxt_openssl_conn_io = { 93 .read = nxt_conn_io_read, 94 .recvbuf = nxt_openssl_conn_io_recvbuf, 95 96 .write = nxt_conn_io_write, 97 .sendbuf = nxt_openssl_conn_io_sendbuf, 98 99 .shutdown = nxt_openssl_conn_io_shutdown, 100 }; 101 102 103 static long nxt_openssl_version; 104 static int nxt_openssl_connection_index; 105 106 107 static nxt_int_t 108 nxt_openssl_library_init(nxt_task_t *task) 109 { 110 int index; 111 112 if (nxt_fast_path(nxt_openssl_version != 0)) { 113 return NXT_OK; 114 } 115 116 #if OPENSSL_VERSION_NUMBER >= 0x10100003L 117 118 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); 119 120 #else 121 { 122 nxt_int_t ret; 123 124 SSL_load_error_strings(); 125 126 OPENSSL_config(NULL); 127 128 /* 129 * SSL_library_init(3): 130 * 131 * SSL_library_init() always returns "1", 132 * so it is safe to discard the return value. 133 */ 134 (void) SSL_library_init(); 135 136 ret = nxt_openssl_locks_init(); 137 if (nxt_slow_path(ret != NXT_OK)) { 138 return ret; 139 } 140 } 141 142 #endif 143 144 nxt_openssl_version = SSLeay(); 145 146 nxt_log(task, NXT_LOG_INFO, "%s, %xl", 147 SSLeay_version(SSLEAY_VERSION), nxt_openssl_version); 148 149 #ifndef SSL_OP_NO_COMPRESSION 150 { 151 /* 152 * Disable gzip compression in OpenSSL prior to 1.0.0 153 * version, this saves about 522K per connection. 154 */ 155 int n; 156 STACK_OF(SSL_COMP) *ssl_comp_methods; 157 158 ssl_comp_methods = SSL_COMP_get_compression_methods(); 159 160 for (n = sk_SSL_COMP_num(ssl_comp_methods); n != 0; n--) { 161 (void) sk_SSL_COMP_pop(ssl_comp_methods); 162 } 163 } 164 #endif 165 166 index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); 167 168 if (index == -1) { 169 nxt_openssl_log_error(task, NXT_LOG_ALERT, 170 "SSL_get_ex_new_index() failed"); 171 return NXT_ERROR; 172 } 173 174 nxt_openssl_connection_index = index; 175 176 return NXT_OK; 177 } 178 179 180 #if OPENSSL_VERSION_NUMBER >= 0x10100003L 181 182 static void 183 nxt_openssl_library_free(nxt_task_t *task) 184 { 185 } 186 187 #else 188 189 static nxt_thread_mutex_t *nxt_openssl_locks; 190 191 static nxt_int_t 192 nxt_openssl_locks_init(void) 193 { 194 int i, n; 195 nxt_int_t ret; 196 197 n = CRYPTO_num_locks(); 198 199 nxt_openssl_locks = OPENSSL_malloc(n * sizeof(nxt_thread_mutex_t)); 200 if (nxt_slow_path(nxt_openssl_locks == NULL)) { 201 return NXT_ERROR; 202 } 203 204 for (i = 0; i < n; i++) { 205 ret = nxt_thread_mutex_create(&nxt_openssl_locks[i]); 206 if (nxt_slow_path(ret != NXT_OK)) { 207 return ret; 208 } 209 } 210 211 CRYPTO_set_locking_callback(nxt_openssl_lock); 212 213 CRYPTO_set_id_callback(nxt_openssl_thread_id); 214 215 return NXT_OK; 216 } 217 218 219 static void 220 nxt_openssl_lock(int mode, int type, const char *file, int line) 221 { 222 nxt_thread_mutex_t *lock; 223 224 lock = &nxt_openssl_locks[type]; 225 226 if ((mode & CRYPTO_LOCK) != 0) { 227 (void) nxt_thread_mutex_lock(lock); 228 229 } else { 230 (void) nxt_thread_mutex_unlock(lock); 231 } 232 } 233 234 235 static u_long 236 nxt_openssl_thread_id(void) 237 { 238 return (u_long) nxt_thread_handle(); 239 } 240 241 242 static void 243 nxt_openssl_library_free(nxt_task_t *task) 244 { 245 nxt_openssl_locks_free(); 246 } 247 248 249 static void 250 nxt_openssl_locks_free(void) 251 { 252 int i, n; 253 254 n = CRYPTO_num_locks(); 255 256 CRYPTO_set_locking_callback(NULL); 257 258 for (i = 0; i < n; i++) { 259 nxt_thread_mutex_destroy(&nxt_openssl_locks[i]); 260 } 261 262 OPENSSL_free(nxt_openssl_locks); 263 } 264 265 #endif 266 267 268 static nxt_int_t 269 nxt_openssl_server_init(nxt_task_t *task, nxt_mp_t *mp, 270 nxt_tls_init_t *tls_init, nxt_bool_t last) 271 { 272 SSL_CTX *ctx; 273 const char *ciphers, *ca_certificate; 274 nxt_tls_conf_t *conf; 275 STACK_OF(X509_NAME) *list; 276 nxt_tls_bundle_conf_t *bundle; 277 278 ctx = SSL_CTX_new(SSLv23_server_method()); 279 if (ctx == NULL) { 280 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_CTX_new() failed"); 281 return NXT_ERROR; 282 } 283 284 conf = tls_init->conf; 285 286 bundle = conf->bundle; 287 nxt_assert(bundle != NULL); 288 289 bundle->ctx = ctx; 290 291 #ifdef SSL_OP_NO_RENEGOTIATION 292 /* Renegration is not currently supported. */ 293 SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION); 294 #endif 295 296 #ifdef SSL_OP_NO_COMPRESSION 297 /* 298 * Disable gzip compression in OpenSSL 1.0.0, 299 * this saves about 522K per connection. 300 */ 301 SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); 302 #endif 303 304 #ifdef SSL_MODE_RELEASE_BUFFERS 305 306 if (nxt_openssl_version >= 10001078) { 307 /* 308 * Allow to release read and write buffers in OpenSSL 1.0.0, 309 * this saves about 34K per idle connection. It is not safe 310 * before OpenSSL 1.0.1h (CVE-2010-5298). 311 */ 312 SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); 313 } 314 315 #endif 316 317 if (nxt_openssl_chain_file(task, ctx, conf, mp, 318 last && bundle->next == NULL) 319 != NXT_OK) 320 { 321 goto fail; 322 } 323 /* 324 key = conf->certificate_key; 325 326 if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) == 0) { 327 nxt_openssl_log_error(task, NXT_LOG_ALERT, 328 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", 329 key); 330 goto fail; 331 } 332 */ 333 334 ciphers = (conf->ciphers != NULL) ? conf->ciphers : "HIGH:!aNULL:!MD5"; 335 336 if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) { 337 nxt_openssl_log_error(task, NXT_LOG_ALERT, 338 "SSL_CTX_set_cipher_list(\"%s\") failed", 339 ciphers); 340 goto fail; 341 } 342 343 #if (NXT_HAVE_OPENSSL_CONF_CMD) 344 if (tls_init->conf_cmds != NULL 345 && nxt_ssl_conf_commands(task, ctx, tls_init->conf_cmds, mp) != NXT_OK) 346 { 347 goto fail; 348 } 349 #endif 350 351 nxt_ssl_session_cache(ctx, tls_init->cache_size, tls_init->timeout); 352 353 SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 354 355 if (conf->ca_certificate != NULL) { 356 357 /* TODO: verify callback */ 358 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); 359 360 /* TODO: verify depth */ 361 SSL_CTX_set_verify_depth(ctx, 1); 362 363 ca_certificate = conf->ca_certificate; 364 365 if (SSL_CTX_load_verify_locations(ctx, ca_certificate, NULL) == 0) { 366 nxt_openssl_log_error(task, NXT_LOG_ALERT, 367 "SSL_CTX_load_verify_locations(\"%s\") failed", 368 ca_certificate); 369 goto fail; 370 } 371 372 list = SSL_load_client_CA_file(ca_certificate); 373 374 if (list == NULL) { 375 nxt_openssl_log_error(task, NXT_LOG_ALERT, 376 "SSL_load_client_CA_file(\"%s\") failed", 377 ca_certificate); 378 goto fail; 379 } 380 381 /* 382 * SSL_load_client_CA_file() in OpenSSL prior to 0.9.7h and 383 * 0.9.8 versions always leaves an error in the error queue. 384 */ 385 ERR_clear_error(); 386 387 SSL_CTX_set_client_CA_list(ctx, list); 388 } 389 390 if (last) { 391 conf->conn_init = nxt_openssl_conn_init; 392 393 if (bundle->next != NULL) { 394 SSL_CTX_set_tlsext_servername_callback(ctx, nxt_openssl_servername); 395 } 396 } 397 398 return NXT_OK; 399 400 fail: 401 402 SSL_CTX_free(ctx); 403 404 #if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \ 405 && OPENSSL_VERSION_NUMBER < 0x1010101fL) 406 RAND_keep_random_devices_open(0); 407 #endif 408 409 return NXT_ERROR; 410 } 411 412 413 static nxt_int_t 414 nxt_openssl_chain_file(nxt_task_t *task, SSL_CTX *ctx, nxt_tls_conf_t *conf, 415 nxt_mp_t *mp, nxt_bool_t single) 416 { 417 BIO *bio; 418 X509 *cert, *ca; 419 long reason; 420 EVP_PKEY *key; 421 nxt_int_t ret; 422 nxt_tls_bundle_conf_t *bundle; 423 424 ret = NXT_ERROR; 425 cert = NULL; 426 427 bio = BIO_new(BIO_s_fd()); 428 if (bio == NULL) { 429 goto end; 430 } 431 432 bundle = conf->bundle; 433 434 BIO_set_fd(bio, bundle->chain_file, BIO_CLOSE); 435 436 cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); 437 if (cert == NULL) { 438 goto end; 439 } 440 441 if (SSL_CTX_use_certificate(ctx, cert) != 1) { 442 goto end; 443 } 444 445 if (!single && nxt_openssl_cert_get_names(task, cert, conf, mp) != NXT_OK) { 446 goto clean; 447 } 448 449 for ( ;; ) { 450 ca = PEM_read_bio_X509(bio, NULL, NULL, NULL); 451 452 if (ca == NULL) { 453 reason = ERR_GET_REASON(ERR_peek_last_error()); 454 if (reason != PEM_R_NO_START_LINE) { 455 goto end; 456 } 457 458 ERR_clear_error(); 459 break; 460 } 461 462 /* 463 * Note that ca isn't freed if it was successfully added to the chain, 464 * while the main certificate needs a X509_free() call, since 465 * its reference count is increased by SSL_CTX_use_certificate(). 466 */ 467 #ifdef SSL_CTX_add0_chain_cert 468 if (SSL_CTX_add0_chain_cert(ctx, ca) != 1) { 469 #else 470 if (SSL_CTX_add_extra_chain_cert(ctx, ca) != 1) { 471 #endif 472 X509_free(ca); 473 goto end; 474 } 475 } 476 477 if (BIO_reset(bio) != 0) { 478 goto end; 479 } 480 481 key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); 482 if (key == NULL) { 483 goto end; 484 } 485 486 if (SSL_CTX_use_PrivateKey(ctx, key) == 1) { 487 ret = NXT_OK; 488 } 489 490 EVP_PKEY_free(key); 491 492 end: 493 494 if (ret != NXT_OK) { 495 nxt_openssl_log_error(task, NXT_LOG_ALERT, 496 "nxt_openssl_chain_file() failed"); 497 } 498 499 clean: 500 501 BIO_free(bio); 502 X509_free(cert); 503 504 return ret; 505 } 506 507 508 #if (NXT_HAVE_OPENSSL_CONF_CMD) 509 510 static nxt_int_t 511 nxt_ssl_conf_commands(nxt_task_t *task, SSL_CTX *ctx, nxt_conf_value_t *conf, 512 nxt_mp_t *mp) 513 { 514 int ret; 515 char *zcmd, *zvalue; 516 uint32_t index; 517 nxt_str_t cmd, value; 518 SSL_CONF_CTX *cctx; 519 nxt_conf_value_t *member; 520 521 cctx = SSL_CONF_CTX_new(); 522 if (nxt_slow_path(cctx == NULL)) { 523 nxt_openssl_log_error(task, NXT_LOG_ALERT, 524 "SSL_CONF_CTX_new() failed"); 525 return NXT_ERROR; 526 } 527 528 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE 529 | SSL_CONF_FLAG_SERVER 530 | SSL_CONF_FLAG_CERTIFICATE 531 | SSL_CONF_FLAG_SHOW_ERRORS); 532 533 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); 534 535 index = 0; 536 537 for ( ;; ) { 538 member = nxt_conf_next_object_member(conf, &cmd, &index); 539 if (nxt_slow_path(member == NULL)) { 540 break; 541 } 542 543 nxt_conf_get_string(member, &value); 544 545 zcmd = nxt_str_cstrz(mp, &cmd); 546 zvalue = nxt_str_cstrz(mp, &value); 547 548 if (nxt_slow_path(zcmd == NULL || zvalue == NULL)) { 549 goto fail; 550 } 551 552 ret = SSL_CONF_cmd(cctx, zcmd, zvalue); 553 if (ret == -2) { 554 nxt_openssl_log_error(task, NXT_LOG_ERR, 555 "unknown command \"%s\" in " 556 "\"conf_commands\" option", zcmd); 557 goto fail; 558 } 559 560 if (ret <= 0) { 561 nxt_openssl_log_error(task, NXT_LOG_ERR, 562 "invalid value \"%s\" for command \"%s\" " 563 "in \"conf_commands\" option", 564 zvalue, zcmd); 565 goto fail; 566 } 567 568 nxt_debug(task, "SSL_CONF_cmd(\"%s\", \"%s\")", zcmd, zvalue); 569 } 570 571 if (SSL_CONF_CTX_finish(cctx) != 1) { 572 nxt_openssl_log_error(task, NXT_LOG_ALERT, 573 "SSL_CONF_finish() failed"); 574 goto fail; 575 } 576 577 SSL_CONF_CTX_free(cctx); 578 579 return NXT_OK; 580 581 fail: 582 583 SSL_CONF_CTX_free(cctx); 584 585 return NXT_ERROR; 586 } 587 588 #endif 589 590 591 static void 592 nxt_ssl_session_cache(SSL_CTX *ctx, size_t cache_size, time_t timeout) 593 { 594 if (cache_size == 0) { 595 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); 596 return; 597 } 598 599 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); 600 601 SSL_CTX_sess_set_cache_size(ctx, cache_size); 602 603 SSL_CTX_set_timeout(ctx, (long) timeout); 604 } 605 606 607 static nxt_uint_t 608 nxt_openssl_cert_get_names(nxt_task_t *task, X509 *cert, nxt_tls_conf_t *conf, 609 nxt_mp_t *mp) 610 { 611 int len; 612 nxt_str_t domain, str; 613 X509_NAME *x509_name; 614 nxt_uint_t i, n; 615 GENERAL_NAME *name; 616 nxt_tls_bundle_conf_t *bundle; 617 STACK_OF(GENERAL_NAME) *alt_names; 618 nxt_tls_bundle_hash_item_t *item; 619 620 bundle = conf->bundle; 621 622 alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); 623 624 if (alt_names != NULL) { 625 n = sk_GENERAL_NAME_num(alt_names); 626 627 for (i = 0; i != n; i++) { 628 name = sk_GENERAL_NAME_value(alt_names, i); 629 630 if (name->type != GEN_DNS) { 631 continue; 632 } 633 634 str.length = ASN1_STRING_length(name->d.dNSName); 635 #if OPENSSL_VERSION_NUMBER > 0x10100000L 636 str.start = (u_char *) ASN1_STRING_get0_data(name->d.dNSName); 637 #else 638 str.start = ASN1_STRING_data(name->d.dNSName); 639 #endif 640 641 domain.start = nxt_mp_nget(mp, str.length); 642 if (nxt_slow_path(domain.start == NULL)) { 643 goto fail; 644 } 645 646 domain.length = str.length; 647 nxt_memcpy_lowcase(domain.start, str.start, str.length); 648 649 item = nxt_mp_get(mp, sizeof(nxt_tls_bundle_hash_item_t)); 650 if (nxt_slow_path(item == NULL)) { 651 goto fail; 652 } 653 654 item->name = domain; 655 item->bundle = bundle; 656 657 if (nxt_openssl_bundle_hash_insert(task, &conf->bundle_hash, 658 item, mp) 659 == NXT_ERROR) 660 { 661 goto fail; 662 } 663 } 664 665 sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free); 666 667 } else { 668 x509_name = X509_get_subject_name(cert); 669 len = X509_NAME_get_text_by_NID(x509_name, NID_commonName, 670 NULL, 0); 671 if (len <= 0) { 672 nxt_log(task, NXT_LOG_WARN, "certificate \"%V\" has neither " 673 "Subject Alternative Name nor Common Name", &bundle->name); 674 return NXT_OK; 675 } 676 677 domain.start = nxt_mp_nget(mp, len + 1); 678 if (nxt_slow_path(domain.start == NULL)) { 679 return NXT_ERROR; 680 } 681 682 domain.length = X509_NAME_get_text_by_NID(x509_name, NID_commonName, 683 (char *) domain.start, 684 len + 1); 685 nxt_memcpy_lowcase(domain.start, domain.start, domain.length); 686 687 item = nxt_mp_get(mp, sizeof(nxt_tls_bundle_hash_item_t)); 688 if (nxt_slow_path(item == NULL)) { 689 return NXT_ERROR; 690 } 691 692 item->name = domain; 693 item->bundle = bundle; 694 695 if (nxt_openssl_bundle_hash_insert(task, &conf->bundle_hash, item, 696 mp) 697 == NXT_ERROR) 698 { 699 return NXT_ERROR; 700 } 701 } 702 703 return NXT_OK; 704 705 fail: 706 707 sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free); 708 709 return NXT_ERROR; 710 } 711 712 713 static const nxt_lvlhsh_proto_t nxt_openssl_bundle_hash_proto 714 nxt_aligned(64) = 715 { 716 NXT_LVLHSH_DEFAULT, 717 nxt_openssl_bundle_hash_test, 718 nxt_mp_lvlhsh_alloc, 719 nxt_mp_lvlhsh_free, 720 }; 721 722 723 static nxt_int_t 724 nxt_openssl_bundle_hash_test(nxt_lvlhsh_query_t *lhq, void *data) 725 { 726 nxt_tls_bundle_hash_item_t *item; 727 728 item = data; 729 730 return nxt_strstr_eq(&lhq->key, &item->name) ? NXT_OK : NXT_DECLINED; 731 } 732 733 734 static nxt_int_t 735 nxt_openssl_bundle_hash_insert(nxt_task_t *task, nxt_lvlhsh_t *lvlhsh, 736 nxt_tls_bundle_hash_item_t *item, nxt_mp_t *mp) 737 { 738 nxt_str_t str; 739 nxt_int_t ret; 740 nxt_lvlhsh_query_t lhq; 741 nxt_tls_bundle_hash_item_t *old; 742 743 str = item->name; 744 745 if (item->name.start[0] == '*') { 746 item->name.start++; 747 item->name.length--; 748 749 if (item->name.length == 0 || item->name.start[0] != '.') { 750 nxt_log(task, NXT_LOG_WARN, "ignored invalid name \"%V\" " 751 "in certificate \"%V\": missing \".\" " 752 "after wildcard symbol", &str, &item->bundle->name); 753 return NXT_OK; 754 } 755 } 756 757 lhq.pool = mp; 758 lhq.key = item->name; 759 lhq.value = item; 760 lhq.proto = &nxt_openssl_bundle_hash_proto; 761 lhq.replace = 0; 762 lhq.key_hash = nxt_murmur_hash2(item->name.start, item->name.length); 763 764 ret = nxt_lvlhsh_insert(lvlhsh, &lhq); 765 if (nxt_fast_path(ret == NXT_OK)) { 766 nxt_debug(task, "name \"%V\" for certificate \"%V\" is inserted", 767 &str, &item->bundle->name); 768 return NXT_OK; 769 } 770 771 if (nxt_fast_path(ret == NXT_DECLINED)) { 772 old = lhq.value; 773 if (old->bundle != item->bundle) { 774 nxt_log(task, NXT_LOG_WARN, "ignored duplicate name \"%V\" " 775 "in certificate \"%V\", identical name appears in \"%V\"", 776 &str, &old->bundle->name, &item->bundle->name); 777 778 old->bundle = item->bundle; 779 } 780 781 return NXT_OK; 782 } 783 784 return NXT_ERROR; 785 } 786 787 788 static nxt_int_t 789 nxt_openssl_servername(SSL *s, int *ad, void *arg) 790 { 791 nxt_str_t str; 792 nxt_uint_t i; 793 nxt_conn_t *c; 794 const char *servername; 795 nxt_tls_conf_t *conf; 796 nxt_openssl_conn_t *tls; 797 nxt_tls_bundle_conf_t *bundle; 798 799 c = SSL_get_ex_data(s, nxt_openssl_connection_index); 800 801 if (nxt_slow_path(c == NULL)) { 802 nxt_thread_log_alert("SSL_get_ex_data() failed"); 803 return SSL_TLSEXT_ERR_ALERT_FATAL; 804 } 805 806 servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 807 if (nxt_slow_path(servername == NULL)) { 808 nxt_log(c->socket.task, NXT_LOG_ALERT, "SSL_get_servername() returned " 809 "NULL in server name callback"); 810 return SSL_TLSEXT_ERR_ALERT_FATAL; 811 } 812 813 str.length = nxt_strlen(servername); 814 if (str.length == 0) { 815 nxt_debug(c->socket.task, "client sent zero-length server name"); 816 goto done; 817 } 818 819 if (servername[0] == '.') { 820 nxt_debug(c->socket.task, "ignored the server name \"%s\": " 821 "leading \".\"", servername); 822 goto done; 823 } 824 825 nxt_debug(c->socket.task, "tls with servername \"%s\"", servername); 826 827 str.start = nxt_mp_nget(c->mem_pool, str.length); 828 if (nxt_slow_path(str.start == NULL)) { 829 return SSL_TLSEXT_ERR_ALERT_FATAL; 830 } 831 832 nxt_memcpy_lowcase(str.start, (const u_char *) servername, str.length); 833 834 tls = c->u.tls; 835 conf = tls->conf; 836 837 bundle = nxt_openssl_find_ctx(conf, &str); 838 839 if (bundle == NULL) { 840 for (i = 1; i < str.length; i++) { 841 if (str.start[i] == '.') { 842 str.start += i; 843 str.length -= i; 844 845 bundle = nxt_openssl_find_ctx(conf, &str); 846 break; 847 } 848 } 849 } 850 851 if (bundle != NULL) { 852 nxt_debug(c->socket.task, "new tls context found for \"%V\": \"%V\" " 853 "(old: \"%V\")", &str, &bundle->name, 854 &conf->bundle->name); 855 856 if (bundle != conf->bundle) { 857 if (SSL_set_SSL_CTX(s, bundle->ctx) == NULL) { 858 nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT, 859 "SSL_set_SSL_CTX() failed"); 860 861 return SSL_TLSEXT_ERR_ALERT_FATAL; 862 } 863 } 864 } 865 866 done: 867 868 return SSL_TLSEXT_ERR_OK; 869 } 870 871 872 static nxt_tls_bundle_conf_t * 873 nxt_openssl_find_ctx(nxt_tls_conf_t *conf, nxt_str_t *sn) 874 { 875 nxt_int_t ret; 876 nxt_lvlhsh_query_t lhq; 877 nxt_tls_bundle_hash_item_t *item; 878 879 lhq.key_hash = nxt_murmur_hash2(sn->start, sn->length); 880 lhq.key = *sn; 881 lhq.proto = &nxt_openssl_bundle_hash_proto; 882 883 ret = nxt_lvlhsh_find(&conf->bundle_hash, &lhq); 884 if (ret != NXT_OK) { 885 return NULL; 886 } 887 888 item = lhq.value; 889 890 return item->bundle; 891 } 892 893 894 static void 895 nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf) 896 { 897 nxt_tls_bundle_conf_t *bundle; 898 899 bundle = conf->bundle; 900 nxt_assert(bundle != NULL); 901 902 do { 903 SSL_CTX_free(bundle->ctx); 904 bundle = bundle->next; 905 } while (bundle != NULL); 906 907 #if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \ 908 && OPENSSL_VERSION_NUMBER < 0x1010101fL) 909 RAND_keep_random_devices_open(0); 910 #endif 911 } 912 913 914 static void 915 nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf, nxt_conn_t *c) 916 { 917 int ret; 918 SSL *s; 919 SSL_CTX *ctx; 920 nxt_openssl_conn_t *tls; 921 922 nxt_log_debug(c->socket.log, "openssl conn init"); 923 924 tls = nxt_mp_zget(c->mem_pool, sizeof(nxt_openssl_conn_t)); 925 if (tls == NULL) { 926 goto fail; 927 } 928 929 c->u.tls = tls; 930 nxt_buf_mem_set_size(&tls->buffer, conf->buffer_size); 931 932 ctx = conf->bundle->ctx; 933 934 s = SSL_new(ctx); 935 if (s == NULL) { 936 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_new() failed"); 937 goto fail; 938 } 939 940 tls->session = s; 941 /* To pass TLS config to the nxt_openssl_servername() callback. */ 942 tls->conf = conf; 943 tls->conn = c; 944 945 ret = SSL_set_fd(s, c->socket.fd); 946 947 if (ret == 0) { 948 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_fd(%d) failed", 949 c->socket.fd); 950 goto fail; 951 } 952 953 SSL_set_accept_state(s); 954 955 if (SSL_set_ex_data(s, nxt_openssl_connection_index, c) == 0) { 956 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_ex_data() failed"); 957 goto fail; 958 } 959 960 c->io = &nxt_openssl_conn_io; 961 c->sendfile = NXT_CONN_SENDFILE_OFF; 962 963 nxt_openssl_conn_handshake(task, c, c->socket.data); 964 965 return; 966 967 fail: 968 969 nxt_work_queue_add(c->read_work_queue, c->read_state->error_handler, 970 task, c, c->socket.data); 971 } 972 973 974 nxt_inline void 975 nxt_openssl_conn_free(nxt_task_t *task, nxt_conn_t *c) 976 { 977 nxt_openssl_conn_t *tls; 978 979 nxt_debug(task, "openssl conn free"); 980 981 tls = c->u.tls; 982 983 if (tls != NULL) { 984 c->u.tls = NULL; 985 nxt_free(tls->buffer.start); 986 SSL_free(tls->session); 987 } 988 } 989 990 991 static void 992 nxt_openssl_conn_handshake(nxt_task_t *task, void *obj, void *data) 993 { 994 int ret; 995 nxt_int_t n; 996 nxt_err_t err; 997 nxt_conn_t *c; 998 nxt_work_queue_t *wq; 999 nxt_work_handler_t handler; 1000 nxt_openssl_conn_t *tls; 1001 const nxt_conn_state_t *state; 1002 1003 c = obj; 1004 1005 nxt_debug(task, "openssl conn handshake fd:%d", c->socket.fd); 1006 1007 if (c->socket.error != 0) { 1008 return; 1009 } 1010 1011 tls = c->u.tls; 1012 1013 if (tls == NULL) { 1014 return; 1015 } 1016 1017 nxt_debug(task, "openssl conn handshake: %d times", tls->times); 1018 1019 /* "tls->times == 1" is suitable to run SSL_do_handshake() in job. */ 1020 1021 ret = SSL_do_handshake(tls->session); 1022 1023 err = (ret <= 0) ? nxt_socket_errno : 0; 1024 1025 nxt_thread_time_debug_update(task->thread); 1026 1027 nxt_debug(task, "SSL_do_handshake(%d): %d err:%d", c->socket.fd, ret, err); 1028 1029 state = (c->read_state != NULL) ? c->read_state : c->write_state; 1030 1031 if (ret > 0) { 1032 /* ret == 1, the handshake was successfully completed. */ 1033 tls->handshake = 1; 1034 1035 if (c->read_state != NULL) { 1036 if (state->io_read_handler != NULL || c->read != NULL) { 1037 nxt_conn_read(task->thread->engine, c); 1038 return; 1039 } 1040 1041 } else { 1042 if (c->write != NULL) { 1043 nxt_conn_write(task->thread->engine, c); 1044 return; 1045 } 1046 } 1047 1048 handler = state->ready_handler; 1049 1050 } else { 1051 c->socket.read_handler = nxt_openssl_conn_handshake; 1052 c->socket.write_handler = nxt_openssl_conn_handshake; 1053 1054 n = nxt_openssl_conn_test_error(task, c, ret, err, 1055 NXT_OPENSSL_HANDSHAKE); 1056 switch (n) { 1057 1058 case NXT_AGAIN: 1059 if (tls->ssl_error == SSL_ERROR_WANT_READ && tls->times < 2) { 1060 tls->times++; 1061 } 1062 1063 return; 1064 1065 case 0: 1066 handler = state->close_handler; 1067 break; 1068 1069 default: 1070 case NXT_ERROR: 1071 nxt_openssl_conn_error(task, err, "SSL_do_handshake(%d) failed", 1072 c->socket.fd); 1073 1074 handler = state->error_handler; 1075 break; 1076 } 1077 } 1078 1079 wq = (c->read_state != NULL) ? c->read_work_queue : c->write_work_queue; 1080 1081 nxt_work_queue_add(wq, handler, task, c, data); 1082 } 1083 1084 1085 static ssize_t 1086 nxt_openssl_conn_io_recvbuf(nxt_conn_t *c, nxt_buf_t *b) 1087 { 1088 int ret; 1089 size_t size; 1090 nxt_int_t n; 1091 nxt_err_t err; 1092 nxt_openssl_conn_t *tls; 1093 1094 tls = c->u.tls; 1095 size = b->mem.end - b->mem.free; 1096 1097 ret = SSL_read(tls->session, b->mem.free, size); 1098 1099 err = (ret <= 0) ? nxt_socket_errno : 0; 1100 1101 nxt_debug(c->socket.task, "SSL_read(%d, %p, %uz): %d err:%d", 1102 c->socket.fd, b->mem.free, size, ret, err); 1103 1104 if (ret > 0) { 1105 return ret; 1106 } 1107 1108 n = nxt_openssl_conn_test_error(c->socket.task, c, ret, err, 1109 NXT_OPENSSL_READ); 1110 if (n == NXT_ERROR) { 1111 nxt_openssl_conn_error(c->socket.task, err, 1112 "SSL_read(%d, %p, %uz) failed", 1113 c->socket.fd, b->mem.free, size); 1114 } 1115 1116 return n; 1117 } 1118 1119 1120 static ssize_t 1121 nxt_openssl_conn_io_sendbuf(nxt_task_t *task, nxt_sendbuf_t *sb) 1122 { 1123 nxt_uint_t niov; 1124 struct iovec iov; 1125 1126 niov = nxt_sendbuf_mem_coalesce0(task, sb, &iov, 1); 1127 1128 if (niov == 0 && sb->sync) { 1129 return 0; 1130 } 1131 1132 return nxt_openssl_conn_io_send(task, sb, iov.iov_base, iov.iov_len); 1133 } 1134 1135 1136 static ssize_t 1137 nxt_openssl_conn_io_send(nxt_task_t *task, nxt_sendbuf_t *sb, void *buf, 1138 size_t size) 1139 { 1140 int ret; 1141 nxt_err_t err; 1142 nxt_int_t n; 1143 nxt_conn_t *c; 1144 nxt_openssl_conn_t *tls; 1145 1146 tls = sb->tls; 1147 1148 ret = SSL_write(tls->session, buf, size); 1149 1150 err = (ret <= 0) ? nxt_socket_errno : 0; 1151 1152 nxt_debug(task, "SSL_write(%d, %p, %uz): %d err:%d", 1153 sb->socket, buf, size, ret, err); 1154 1155 if (ret > 0) { 1156 return ret; 1157 } 1158 1159 c = tls->conn; 1160 c->socket.write_ready = sb->ready; 1161 1162 n = nxt_openssl_conn_test_error(task, c, ret, err, NXT_OPENSSL_WRITE); 1163 1164 sb->ready = c->socket.write_ready; 1165 1166 if (n == NXT_ERROR) { 1167 sb->error = c->socket.error; 1168 nxt_openssl_conn_error(task, err, "SSL_write(%d, %p, %uz) failed", 1169 sb->socket, buf, size); 1170 } 1171 1172 return n; 1173 } 1174 1175 1176 static void 1177 nxt_openssl_conn_io_shutdown(nxt_task_t *task, void *obj, void *data) 1178 { 1179 int ret, mode; 1180 SSL *s; 1181 nxt_err_t err; 1182 nxt_int_t n; 1183 nxt_bool_t quiet, once; 1184 nxt_conn_t *c; 1185 nxt_openssl_conn_t *tls; 1186 nxt_work_handler_t handler; 1187 1188 c = obj; 1189 1190 nxt_debug(task, "openssl conn shutdown fd:%d", c->socket.fd); 1191 1192 c->read_state = NULL; 1193 tls = c->u.tls; 1194 1195 if (tls == NULL) { 1196 return; 1197 } 1198 1199 s = tls->session; 1200 1201 if (s == NULL || !tls->handshake) { 1202 handler = c->write_state->ready_handler; 1203 goto done; 1204 } 1205 1206 mode = SSL_get_shutdown(s); 1207 1208 if (c->socket.timedout || c->socket.error != 0) { 1209 quiet = 1; 1210 1211 } else if (c->socket.closed && !(mode & SSL_RECEIVED_SHUTDOWN)) { 1212 quiet = 1; 1213 1214 } else { 1215 quiet = 0; 1216 } 1217 1218 SSL_set_quiet_shutdown(s, quiet); 1219 1220 if (tls->conf->no_wait_shutdown) { 1221 mode |= SSL_RECEIVED_SHUTDOWN; 1222 } 1223 1224 once = 1; 1225 1226 for ( ;; ) { 1227 SSL_set_shutdown(s, mode); 1228 1229 ret = SSL_shutdown(s); 1230 1231 err = (ret <= 0) ? nxt_socket_errno : 0; 1232 1233 nxt_debug(task, "SSL_shutdown(%d, %d, %b): %d err:%d", 1234 c->socket.fd, mode, quiet, ret, err); 1235 1236 if (ret > 0) { 1237 /* ret == 1, the shutdown was successfully completed. */ 1238 handler = c->write_state->ready_handler; 1239 goto done; 1240 } 1241 1242 if (ret == 0) { 1243 /* 1244 * If SSL_shutdown() returns 0 then it should be called 1245 * again. The second SSL_shutdown() call should return 1246 * -1/SSL_ERROR_WANT_READ or -1/SSL_ERROR_WANT_WRITE. 1247 * OpenSSL prior to 0.9.8m version however never returns 1248 * -1 at all. Fortunately, OpenSSL preserves internally 1249 * correct status available via SSL_get_error(-1). 1250 */ 1251 if (once) { 1252 once = 0; 1253 mode = SSL_get_shutdown(s); 1254 continue; 1255 } 1256 1257 ret = -1; 1258 } 1259 1260 /* ret == -1 */ 1261 1262 break; 1263 } 1264 1265 c->socket.read_handler = nxt_openssl_conn_io_shutdown; 1266 c->socket.write_handler = nxt_openssl_conn_io_shutdown; 1267 c->socket.error_handler = c->write_state->error_handler; 1268 1269 n = nxt_openssl_conn_test_error(task, c, ret, err, NXT_OPENSSL_SHUTDOWN); 1270 1271 switch (n) { 1272 1273 case 0: 1274 handler = c->write_state->close_handler; 1275 break; 1276 1277 case NXT_AGAIN: 1278 c->write_timer.handler = nxt_openssl_conn_io_shutdown_timeout; 1279 nxt_timer_add(task->thread->engine, &c->write_timer, 5000); 1280 return; 1281 1282 default: 1283 case NXT_ERROR: 1284 nxt_openssl_conn_error(task, err, "SSL_shutdown(%d) failed", 1285 c->socket.fd); 1286 handler = c->write_state->error_handler; 1287 } 1288 1289 done: 1290 1291 nxt_openssl_conn_free(task, c); 1292 1293 nxt_work_queue_add(c->write_work_queue, handler, task, c, data); 1294 } 1295 1296 1297 static nxt_int_t 1298 nxt_openssl_conn_test_error(nxt_task_t *task, nxt_conn_t *c, int ret, 1299 nxt_err_t sys_err, nxt_openssl_io_t io) 1300 { 1301 u_long lib_err; 1302 nxt_openssl_conn_t *tls; 1303 1304 tls = c->u.tls; 1305 1306 tls->ssl_error = SSL_get_error(tls->session, ret); 1307 1308 nxt_debug(task, "SSL_get_error(): %d", tls->ssl_error); 1309 1310 switch (tls->ssl_error) { 1311 1312 case SSL_ERROR_WANT_READ: 1313 c->socket.read_ready = 0; 1314 1315 if (io != NXT_OPENSSL_READ) { 1316 nxt_fd_event_block_write(task->thread->engine, &c->socket); 1317 1318 if (nxt_fd_event_is_disabled(c->socket.read)) { 1319 nxt_fd_event_enable_read(task->thread->engine, &c->socket); 1320 } 1321 } 1322 1323 return NXT_AGAIN; 1324 1325 case SSL_ERROR_WANT_WRITE: 1326 c->socket.write_ready = 0; 1327 1328 if (io != NXT_OPENSSL_WRITE) { 1329 nxt_fd_event_block_read(task->thread->engine, &c->socket); 1330 1331 if (nxt_fd_event_is_disabled(c->socket.write)) { 1332 nxt_fd_event_enable_write(task->thread->engine, &c->socket); 1333 } 1334 } 1335 1336 return NXT_AGAIN; 1337 1338 case SSL_ERROR_SYSCALL: 1339 lib_err = ERR_peek_error(); 1340 1341 nxt_debug(task, "ERR_peek_error(): %l", lib_err); 1342 1343 if (sys_err != 0 || lib_err != 0) { 1344 c->socket.error = sys_err; 1345 return NXT_ERROR; 1346 } 1347 1348 /* A connection was just closed. */ 1349 c->socket.closed = 1; 1350 return 0; 1351 1352 case SSL_ERROR_ZERO_RETURN: 1353 /* A "close notify" alert. */ 1354 return 0; 1355 1356 default: /* SSL_ERROR_SSL, etc. */ 1357 c->socket.error = 1000; /* Nonexistent errno code. */ 1358 return NXT_ERROR; 1359 } 1360 } 1361 1362 1363 static void 1364 nxt_openssl_conn_io_shutdown_timeout(nxt_task_t *task, void *obj, void *data) 1365 { 1366 nxt_conn_t *c; 1367 nxt_timer_t *timer; 1368 1369 timer = obj; 1370 1371 nxt_debug(task, "openssl conn shutdown timeout"); 1372 1373 c = nxt_write_timer_conn(timer); 1374 1375 c->socket.timedout = 1; 1376 nxt_openssl_conn_io_shutdown(task, c, NULL); 1377 } 1378 1379 1380 static void nxt_cdecl 1381 nxt_openssl_conn_error(nxt_task_t *task, nxt_err_t err, const char *fmt, ...) 1382 { 1383 u_char *p, *end; 1384 va_list args; 1385 nxt_uint_t level; 1386 u_char msg[NXT_MAX_ERROR_STR]; 1387 1388 level = nxt_openssl_log_error_level(err); 1389 1390 if (nxt_log_level_enough(task->log, level)) { 1391 1392 end = msg + sizeof(msg); 1393 1394 va_start(args, fmt); 1395 p = nxt_vsprintf(msg, end, fmt, args); 1396 va_end(args); 1397 1398 if (err != 0) { 1399 p = nxt_sprintf(p, end, " %E", err); 1400 } 1401 1402 p = nxt_openssl_copy_error(p, end); 1403 1404 nxt_log(task, level, "%*s", p - msg, msg); 1405 1406 } else { 1407 ERR_clear_error(); 1408 } 1409 } 1410 1411 1412 static nxt_uint_t 1413 nxt_openssl_log_error_level(nxt_err_t err) 1414 { 1415 switch (ERR_GET_REASON(ERR_peek_error())) { 1416 1417 case 0: 1418 return nxt_socket_error_level(err); 1419 1420 case SSL_R_BAD_CHANGE_CIPHER_SPEC: /* 103 */ 1421 case SSL_R_BLOCK_CIPHER_PAD_IS_WRONG: /* 129 */ 1422 case SSL_R_DIGEST_CHECK_FAILED: /* 149 */ 1423 case SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST: /* 151 */ 1424 case SSL_R_EXCESSIVE_MESSAGE_SIZE: /* 152 */ 1425 case SSL_R_LENGTH_MISMATCH: /* 159 */ 1426 #ifdef SSL_R_NO_CIPHERS_PASSED 1427 case SSL_R_NO_CIPHERS_PASSED: /* 182 */ 1428 #endif 1429 case SSL_R_NO_CIPHERS_SPECIFIED: /* 183 */ 1430 case SSL_R_NO_COMPRESSION_SPECIFIED: /* 187 */ 1431 case SSL_R_NO_SHARED_CIPHER: /* 193 */ 1432 case SSL_R_RECORD_LENGTH_MISMATCH: /* 213 */ 1433 #ifdef SSL_R_PARSE_TLSEXT 1434 case SSL_R_PARSE_TLSEXT: /* 227 */ 1435 #endif 1436 case SSL_R_UNEXPECTED_MESSAGE: /* 244 */ 1437 case SSL_R_UNEXPECTED_RECORD: /* 245 */ 1438 case SSL_R_UNKNOWN_ALERT_TYPE: /* 246 */ 1439 case SSL_R_UNKNOWN_PROTOCOL: /* 252 */ 1440 case SSL_R_WRONG_VERSION_NUMBER: /* 267 */ 1441 case SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC: /* 281 */ 1442 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG 1443 case SSL_R_RENEGOTIATE_EXT_TOO_LONG: /* 335 */ 1444 case SSL_R_RENEGOTIATION_ENCODING_ERR: /* 336 */ 1445 case SSL_R_RENEGOTIATION_MISMATCH: /* 337 */ 1446 #endif 1447 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 1448 case SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED: /* 338 */ 1449 #endif 1450 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 1451 case SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING: /* 345 */ 1452 #endif 1453 case 1000:/* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ 1454 case SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE: /* 1010 */ 1455 case SSL_R_SSLV3_ALERT_BAD_RECORD_MAC: /* 1020 */ 1456 case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED: /* 1021 */ 1457 case SSL_R_TLSV1_ALERT_RECORD_OVERFLOW: /* 1022 */ 1458 case SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE: /* 1030 */ 1459 case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE: /* 1040 */ 1460 case SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER: /* 1047 */ 1461 break; 1462 1463 case SSL_R_SSLV3_ALERT_NO_CERTIFICATE: /* 1041 */ 1464 case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE: /* 1042 */ 1465 case SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE: /* 1043 */ 1466 case SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED: /* 1044 */ 1467 case SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED: /* 1045 */ 1468 case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN: /* 1046 */ 1469 case SSL_R_TLSV1_ALERT_UNKNOWN_CA: /* 1048 */ 1470 case SSL_R_TLSV1_ALERT_ACCESS_DENIED: /* 1049 */ 1471 case SSL_R_TLSV1_ALERT_DECODE_ERROR: /* 1050 */ 1472 case SSL_R_TLSV1_ALERT_DECRYPT_ERROR: /* 1051 */ 1473 case SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION: /* 1060 */ 1474 case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION: /* 1070 */ 1475 case SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY: /* 1071 */ 1476 case SSL_R_TLSV1_ALERT_INTERNAL_ERROR: /* 1080 */ 1477 case SSL_R_TLSV1_ALERT_USER_CANCELLED: /* 1090 */ 1478 case SSL_R_TLSV1_ALERT_NO_RENEGOTIATION: /* 1100 */ 1479 return NXT_LOG_ERR; 1480 1481 default: 1482 return NXT_LOG_ALERT; 1483 } 1484 1485 return NXT_LOG_INFO; 1486 } 1487 1488 1489 void nxt_cdecl 1490 nxt_openssl_log_error(nxt_task_t *task, nxt_uint_t level, const char *fmt, ...) 1491 { 1492 u_char *p, *end; 1493 va_list args; 1494 u_char msg[NXT_MAX_ERROR_STR]; 1495 1496 end = msg + sizeof(msg); 1497 1498 va_start(args, fmt); 1499 p = nxt_vsprintf(msg, end, fmt, args); 1500 va_end(args); 1501 1502 p = nxt_openssl_copy_error(p, end); 1503 1504 nxt_log(task, level, "%*s", p - msg, msg); 1505 } 1506 1507 1508 u_char * 1509 nxt_openssl_copy_error(u_char *p, u_char *end) 1510 { 1511 int flags; 1512 u_long err; 1513 nxt_bool_t clear; 1514 const char *data, *delimiter; 1515 1516 err = ERR_peek_error(); 1517 if (err == 0) { 1518 return p; 1519 } 1520 1521 /* Log the most relevant error message ... */ 1522 data = ERR_reason_error_string(err); 1523 1524 p = nxt_sprintf(p, end, " (%d: %s) (OpenSSL: ", ERR_GET_REASON(err), data); 1525 1526 /* 1527 * ... followed by all queued cumbersome OpenSSL error messages 1528 * and drain the error queue. 1529 */ 1530 delimiter = ""; 1531 clear = 0; 1532 1533 for ( ;; ) { 1534 err = ERR_get_error_line_data(NULL, NULL, &data, &flags); 1535 if (err == 0) { 1536 break; 1537 } 1538 1539 p = nxt_sprintf(p, end, "%s", delimiter); 1540 1541 ERR_error_string_n(err, (char *) p, end - p); 1542 1543 while (p < end && *p != '\0') { 1544 p++; 1545 } 1546 1547 if ((flags & ERR_TXT_STRING) != 0) { 1548 p = nxt_sprintf(p, end, ":%s", data); 1549 } 1550 1551 clear |= ((flags & ERR_TXT_MALLOCED) != 0); 1552 1553 delimiter = "; "; 1554 } 1555 1556 /* Deallocate additional data. */ 1557 1558 if (clear) { 1559 ERR_clear_error(); 1560 } 1561 1562 if (p < end) { 1563 *p++ = ')'; 1564 } 1565 1566 return p; 1567 } 1568