Deleted
Added
| nxt_openssl.c (1885:09b857a2cca9) | nxt_openssl.c (1920:7c19530e2502) |
|---|---|
| 1 2/* 3 * Copyright (C) Igor Sysoev 4 * Copyright (C) NGINX, Inc. 5 */ 6 7#include <nxt_main.h> 8#include <nxt_conf.h> --- 28 unchanged lines hidden (view full) --- 37static nxt_int_t nxt_openssl_library_init(nxt_task_t *task); 38static void nxt_openssl_library_free(nxt_task_t *task); 39#if OPENSSL_VERSION_NUMBER < 0x10100004L 40static nxt_int_t nxt_openssl_locks_init(void); 41static void nxt_openssl_lock(int mode, int type, const char *file, int line); 42static unsigned long nxt_openssl_thread_id(void); 43static void nxt_openssl_locks_free(void); 44#endif | 1 2/* 3 * Copyright (C) Igor Sysoev 4 * Copyright (C) NGINX, Inc. 5 */ 6 7#include <nxt_main.h> 8#include <nxt_conf.h> --- 28 unchanged lines hidden (view full) --- 37static nxt_int_t nxt_openssl_library_init(nxt_task_t *task); 38static void nxt_openssl_library_free(nxt_task_t *task); 39#if OPENSSL_VERSION_NUMBER < 0x10100004L 40static nxt_int_t nxt_openssl_locks_init(void); 41static void nxt_openssl_lock(int mode, int type, const char *file, int line); 42static unsigned long nxt_openssl_thread_id(void); 43static void nxt_openssl_locks_free(void); 44#endif |
| 45static nxt_int_t nxt_openssl_server_init(nxt_task_t *task, 46 nxt_tls_conf_t *conf, nxt_mp_t *mp, nxt_conf_value_t *conf_cmds, 47 nxt_bool_t last); | 45static nxt_int_t nxt_openssl_server_init(nxt_task_t *task, nxt_mp_t *mp, 46 nxt_tls_init_t *tls_init, nxt_bool_t last); |
| 48static nxt_int_t nxt_openssl_chain_file(nxt_task_t *task, SSL_CTX *ctx, 49 nxt_tls_conf_t *conf, nxt_mp_t *mp, nxt_bool_t single); 50#if (NXT_HAVE_OPENSSL_CONF_CMD) 51static nxt_int_t nxt_ssl_conf_commands(nxt_task_t *task, SSL_CTX *ctx, 52 nxt_conf_value_t *value, nxt_mp_t *mp); 53#endif | 47static nxt_int_t nxt_openssl_chain_file(nxt_task_t *task, SSL_CTX *ctx, 48 nxt_tls_conf_t *conf, nxt_mp_t *mp, nxt_bool_t single); 49#if (NXT_HAVE_OPENSSL_CONF_CMD) 50static nxt_int_t nxt_ssl_conf_commands(nxt_task_t *task, SSL_CTX *ctx, 51 nxt_conf_value_t *value, nxt_mp_t *mp); 52#endif |
| 53static void nxt_ssl_session_cache(SSL_CTX *ctx, size_t cache_size, 54 time_t timeout); |
|
| 54static nxt_uint_t nxt_openssl_cert_get_names(nxt_task_t *task, X509 *cert, 55 nxt_tls_conf_t *conf, nxt_mp_t *mp); 56static nxt_int_t nxt_openssl_bundle_hash_test(nxt_lvlhsh_query_t *lhq, 57 void *data); 58static nxt_int_t nxt_openssl_bundle_hash_insert(nxt_task_t *task, 59 nxt_lvlhsh_t *lvlhsh, nxt_tls_bundle_hash_item_t *item, nxt_mp_t * mp); 60static nxt_int_t nxt_openssl_servername(SSL *s, int *ad, void *arg); 61static nxt_tls_bundle_conf_t *nxt_openssl_find_ctx(nxt_tls_conf_t *conf, --- 198 unchanged lines hidden (view full) --- 260 261 OPENSSL_free(nxt_openssl_locks); 262} 263 264#endif 265 266 267static nxt_int_t | 55static nxt_uint_t nxt_openssl_cert_get_names(nxt_task_t *task, X509 *cert, 56 nxt_tls_conf_t *conf, nxt_mp_t *mp); 57static nxt_int_t nxt_openssl_bundle_hash_test(nxt_lvlhsh_query_t *lhq, 58 void *data); 59static nxt_int_t nxt_openssl_bundle_hash_insert(nxt_task_t *task, 60 nxt_lvlhsh_t *lvlhsh, nxt_tls_bundle_hash_item_t *item, nxt_mp_t * mp); 61static nxt_int_t nxt_openssl_servername(SSL *s, int *ad, void *arg); 62static nxt_tls_bundle_conf_t *nxt_openssl_find_ctx(nxt_tls_conf_t *conf, --- 198 unchanged lines hidden (view full) --- 261 262 OPENSSL_free(nxt_openssl_locks); 263} 264 265#endif 266 267 268static nxt_int_t |
| 268nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf, 269 nxt_mp_t *mp, nxt_conf_value_t *conf_cmds, nxt_bool_t last) | 269nxt_openssl_server_init(nxt_task_t *task, nxt_mp_t *mp, 270 nxt_tls_init_t *tls_init, nxt_bool_t last) |
| 270{ 271 SSL_CTX *ctx; 272 const char *ciphers, *ca_certificate; | 271{ 272 SSL_CTX *ctx; 273 const char *ciphers, *ca_certificate; |
| 274 nxt_tls_conf_t *conf; |
|
| 273 STACK_OF(X509_NAME) *list; 274 nxt_tls_bundle_conf_t *bundle; 275 276 ctx = SSL_CTX_new(SSLv23_server_method()); 277 if (ctx == NULL) { 278 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_CTX_new() failed"); 279 return NXT_ERROR; 280 } 281 | 275 STACK_OF(X509_NAME) *list; 276 nxt_tls_bundle_conf_t *bundle; 277 278 ctx = SSL_CTX_new(SSLv23_server_method()); 279 if (ctx == NULL) { 280 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_CTX_new() failed"); 281 return NXT_ERROR; 282 } 283 |
| 284 conf = tls_init->conf; 285 |
|
| 282 bundle = conf->bundle; 283 nxt_assert(bundle != NULL); 284 285 bundle->ctx = ctx; 286 287#ifdef SSL_OP_NO_RENEGOTIATION 288 /* Renegration is not currently supported. */ 289 SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION); --- 42 unchanged lines hidden (view full) --- 332 if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) { 333 nxt_openssl_log_error(task, NXT_LOG_ALERT, 334 "SSL_CTX_set_cipher_list(\"%s\") failed", 335 ciphers); 336 goto fail; 337 } 338 339#if (NXT_HAVE_OPENSSL_CONF_CMD) | 286 bundle = conf->bundle; 287 nxt_assert(bundle != NULL); 288 289 bundle->ctx = ctx; 290 291#ifdef SSL_OP_NO_RENEGOTIATION 292 /* Renegration is not currently supported. */ 293 SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION); --- 42 unchanged lines hidden (view full) --- 336 if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) { 337 nxt_openssl_log_error(task, NXT_LOG_ALERT, 338 "SSL_CTX_set_cipher_list(\"%s\") failed", 339 ciphers); 340 goto fail; 341 } 342 343#if (NXT_HAVE_OPENSSL_CONF_CMD) |
| 340 if (conf_cmds != NULL 341 && nxt_ssl_conf_commands(task, ctx, conf_cmds, mp) != NXT_OK) | 344 if (tls_init->conf_cmds != NULL 345 && nxt_ssl_conf_commands(task, ctx, tls_init->conf_cmds, mp) != NXT_OK) |
| 342 { 343 goto fail; 344 } 345#endif 346 | 346 { 347 goto fail; 348 } 349#endif 350 |
| 351 nxt_ssl_session_cache(ctx, tls_init->cache_size, tls_init->timeout); 352 |
|
| 347 SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 348 349 if (conf->ca_certificate != NULL) { 350 351 /* TODO: verify callback */ 352 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); 353 354 /* TODO: verify depth */ --- 222 unchanged lines hidden (view full) --- 577 SSL_CONF_CTX_free(cctx); 578 579 return NXT_ERROR; 580} 581 582#endif 583 584 | 353 SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 354 355 if (conf->ca_certificate != NULL) { 356 357 /* TODO: verify callback */ 358 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); 359 360 /* TODO: verify depth */ --- 222 unchanged lines hidden (view full) --- 583 SSL_CONF_CTX_free(cctx); 584 585 return NXT_ERROR; 586} 587 588#endif 589 590 |
| 591static void 592nxt_ssl_session_cache(SSL_CTX *ctx, size_t cache_size, time_t timeout) 593{ 594 if (cache_size == 0) { 595 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); 596 return; 597 } 598 599 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); 600 601 SSL_CTX_sess_set_cache_size(ctx, cache_size); 602 603 SSL_CTX_set_timeout(ctx, (long) timeout); 604} 605 606 |
|
| 585static nxt_uint_t 586nxt_openssl_cert_get_names(nxt_task_t *task, X509 *cert, nxt_tls_conf_t *conf, 587 nxt_mp_t *mp) 588{ 589 int len; 590 nxt_str_t domain, str; 591 X509_NAME *x509_name; 592 nxt_uint_t i, n; --- 953 unchanged lines hidden --- | 607static nxt_uint_t 608nxt_openssl_cert_get_names(nxt_task_t *task, X509 *cert, nxt_tls_conf_t *conf, 609 nxt_mp_t *mp) 610{ 611 int len; 612 nxt_str_t domain, str; 613 X509_NAME *x509_name; 614 nxt_uint_t i, n; --- 953 unchanged lines hidden --- |