1 2 /* 3 * Copyright (C) Igor Sysoev 4 * Copyright (C) NGINX, Inc. 5 */ 6 7 #include <nxt_main.h> 8 #include <nxt_conf.h> 9 #include <openssl/ssl.h> 10 #include <openssl/conf.h> 11 #include <openssl/err.h> 12 #include <openssl/rand.h> 13 #include <openssl/x509v3.h> 14 15 16 typedef struct { 17 SSL *session; 18 nxt_conn_t *conn; 19 20 int ssl_error; 21 uint8_t times; /* 2 bits */ 22 uint8_t handshake; /* 1 bit */ 23 24 nxt_tls_conf_t *conf; 25 nxt_buf_mem_t buffer; 26 } nxt_openssl_conn_t; 27 28 29 typedef enum { 30 NXT_OPENSSL_HANDSHAKE = 0, 31 NXT_OPENSSL_READ, 32 NXT_OPENSSL_WRITE, 33 NXT_OPENSSL_SHUTDOWN, 34 } nxt_openssl_io_t; 35 36 37 static nxt_int_t nxt_openssl_library_init(nxt_task_t *task); 38 static void nxt_openssl_library_free(nxt_task_t *task); 39 #if OPENSSL_VERSION_NUMBER < 0x10100004L 40 static nxt_int_t nxt_openssl_locks_init(void); 41 static void nxt_openssl_lock(int mode, int type, const char *file, int line); 42 static unsigned long nxt_openssl_thread_id(void); 43 static void nxt_openssl_locks_free(void); 44 #endif 45 static nxt_int_t nxt_openssl_server_init(nxt_task_t *task, 46 nxt_tls_conf_t *conf, nxt_mp_t *mp, nxt_conf_value_t *conf_cmds, 47 nxt_bool_t last); 48 static nxt_int_t nxt_openssl_chain_file(nxt_task_t *task, SSL_CTX *ctx, 49 nxt_tls_conf_t *conf, nxt_mp_t *mp, nxt_bool_t single); 50 #if (NXT_HAVE_OPENSSL_CONF_CMD) 51 static nxt_int_t nxt_ssl_conf_commands(nxt_task_t *task, SSL_CTX *ctx, 52 nxt_conf_value_t *value, nxt_mp_t *mp); 53 #endif 54 static nxt_uint_t nxt_openssl_cert_get_names(nxt_task_t *task, X509 *cert, 55 nxt_tls_conf_t *conf, nxt_mp_t *mp); 56 static nxt_int_t nxt_openssl_bundle_hash_test(nxt_lvlhsh_query_t *lhq, 57 void *data); 58 static nxt_int_t nxt_openssl_bundle_hash_insert(nxt_task_t *task, 59 nxt_lvlhsh_t *lvlhsh, nxt_tls_bundle_hash_item_t *item, nxt_mp_t * mp); 60 static nxt_int_t nxt_openssl_servername(SSL *s, int *ad, void *arg); 61 static nxt_tls_bundle_conf_t *nxt_openssl_find_ctx(nxt_tls_conf_t *conf, 62 nxt_str_t *sn); 63 static void nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf); 64 static void nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf, 65 nxt_conn_t *c); 66 static void nxt_openssl_conn_handshake(nxt_task_t *task, void *obj, void *data); 67 static ssize_t nxt_openssl_conn_io_recvbuf(nxt_conn_t *c, nxt_buf_t *b); 68 static ssize_t nxt_openssl_conn_io_sendbuf(nxt_task_t *task, nxt_sendbuf_t *sb); 69 static ssize_t nxt_openssl_conn_io_send(nxt_task_t *task, nxt_sendbuf_t *sb, 70 void *buf, size_t size); 71 static void nxt_openssl_conn_io_shutdown(nxt_task_t *task, void *obj, 72 void *data); 73 static nxt_int_t nxt_openssl_conn_test_error(nxt_task_t *task, nxt_conn_t *c, 74 int ret, nxt_err_t sys_err, nxt_openssl_io_t io); 75 static void nxt_openssl_conn_io_shutdown_timeout(nxt_task_t *task, void *obj, 76 void *data); 77 static void nxt_cdecl nxt_openssl_conn_error(nxt_task_t *task, 78 nxt_err_t err, const char *fmt, ...); 79 static nxt_uint_t nxt_openssl_log_error_level(nxt_err_t err); 80 81 82 const nxt_tls_lib_t nxt_openssl_lib = { 83 .library_init = nxt_openssl_library_init, 84 .library_free = nxt_openssl_library_free, 85 86 .server_init = nxt_openssl_server_init, 87 .server_free = nxt_openssl_server_free, 88 }; 89 90 91 static nxt_conn_io_t nxt_openssl_conn_io = { 92 .read = nxt_conn_io_read, 93 .recvbuf = nxt_openssl_conn_io_recvbuf, 94 95 .write = nxt_conn_io_write, 96 .sendbuf = nxt_openssl_conn_io_sendbuf, 97 98 .shutdown = nxt_openssl_conn_io_shutdown, 99 }; 100 101 102 static long nxt_openssl_version; 103 static int nxt_openssl_connection_index; 104 105 106 static nxt_int_t 107 nxt_openssl_library_init(nxt_task_t *task) 108 { 109 int index; 110 111 if (nxt_fast_path(nxt_openssl_version != 0)) { 112 return NXT_OK; 113 } 114 115 #if OPENSSL_VERSION_NUMBER >= 0x10100003L 116 117 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); 118 119 #else 120 { 121 nxt_int_t ret; 122 123 SSL_load_error_strings(); 124 125 OPENSSL_config(NULL); 126 127 /* 128 * SSL_library_init(3): 129 * 130 * SSL_library_init() always returns "1", 131 * so it is safe to discard the return value. 132 */ 133 (void) SSL_library_init(); 134 135 ret = nxt_openssl_locks_init(); 136 if (nxt_slow_path(ret != NXT_OK)) { 137 return ret; 138 } 139 } 140 141 #endif 142 143 nxt_openssl_version = SSLeay(); 144 145 nxt_log(task, NXT_LOG_INFO, "%s, %xl", 146 SSLeay_version(SSLEAY_VERSION), nxt_openssl_version); 147 148 #ifndef SSL_OP_NO_COMPRESSION 149 { 150 /* 151 * Disable gzip compression in OpenSSL prior to 1.0.0 152 * version, this saves about 522K per connection. 153 */ 154 int n; 155 STACK_OF(SSL_COMP) *ssl_comp_methods; 156 157 ssl_comp_methods = SSL_COMP_get_compression_methods(); 158 159 for (n = sk_SSL_COMP_num(ssl_comp_methods); n != 0; n--) { 160 (void) sk_SSL_COMP_pop(ssl_comp_methods); 161 } 162 } 163 #endif 164 165 index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); 166 167 if (index == -1) { 168 nxt_openssl_log_error(task, NXT_LOG_ALERT, 169 "SSL_get_ex_new_index() failed"); 170 return NXT_ERROR; 171 } 172 173 nxt_openssl_connection_index = index; 174 175 return NXT_OK; 176 } 177 178 179 #if OPENSSL_VERSION_NUMBER >= 0x10100003L 180 181 static void 182 nxt_openssl_library_free(nxt_task_t *task) 183 { 184 } 185 186 #else 187 188 static nxt_thread_mutex_t *nxt_openssl_locks; 189 190 static nxt_int_t 191 nxt_openssl_locks_init(void) 192 { 193 int i, n; 194 nxt_int_t ret; 195 196 n = CRYPTO_num_locks(); 197 198 nxt_openssl_locks = OPENSSL_malloc(n * sizeof(nxt_thread_mutex_t)); 199 if (nxt_slow_path(nxt_openssl_locks == NULL)) { 200 return NXT_ERROR; 201 } 202 203 for (i = 0; i < n; i++) { 204 ret = nxt_thread_mutex_create(&nxt_openssl_locks[i]); 205 if (nxt_slow_path(ret != NXT_OK)) { 206 return ret; 207 } 208 } 209 210 CRYPTO_set_locking_callback(nxt_openssl_lock); 211 212 CRYPTO_set_id_callback(nxt_openssl_thread_id); 213 214 return NXT_OK; 215 } 216 217 218 static void 219 nxt_openssl_lock(int mode, int type, const char *file, int line) 220 { 221 nxt_thread_mutex_t *lock; 222 223 lock = &nxt_openssl_locks[type]; 224 225 if ((mode & CRYPTO_LOCK) != 0) { 226 (void) nxt_thread_mutex_lock(lock); 227 228 } else { 229 (void) nxt_thread_mutex_unlock(lock); 230 } 231 } 232 233 234 static u_long 235 nxt_openssl_thread_id(void) 236 { 237 return (u_long) nxt_thread_handle(); 238 } 239 240 241 static void 242 nxt_openssl_library_free(nxt_task_t *task) 243 { 244 nxt_openssl_locks_free(); 245 } 246 247 248 static void 249 nxt_openssl_locks_free(void) 250 { 251 int i, n; 252 253 n = CRYPTO_num_locks(); 254 255 CRYPTO_set_locking_callback(NULL); 256 257 for (i = 0; i < n; i++) { 258 nxt_thread_mutex_destroy(&nxt_openssl_locks[i]); 259 } 260 261 OPENSSL_free(nxt_openssl_locks); 262 } 263 264 #endif 265 266 267 static nxt_int_t 268 nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf, 269 nxt_mp_t *mp, nxt_conf_value_t *conf_cmds, nxt_bool_t last) 270 { 271 SSL_CTX *ctx; 272 const char *ciphers, *ca_certificate; 273 STACK_OF(X509_NAME) *list; 274 nxt_tls_bundle_conf_t *bundle; 275 276 ctx = SSL_CTX_new(SSLv23_server_method()); 277 if (ctx == NULL) { 278 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_CTX_new() failed"); 279 return NXT_ERROR; 280 } 281 282 bundle = conf->bundle; 283 nxt_assert(bundle != NULL); 284 285 bundle->ctx = ctx; 286 287 #ifdef SSL_OP_NO_RENEGOTIATION 288 /* Renegration is not currently supported. */ 289 SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION); 290 #endif 291 292 #ifdef SSL_OP_NO_COMPRESSION 293 /* 294 * Disable gzip compression in OpenSSL 1.0.0, 295 * this saves about 522K per connection. 296 */ 297 SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); 298 #endif 299 300 #ifdef SSL_MODE_RELEASE_BUFFERS 301 302 if (nxt_openssl_version >= 10001078) { 303 /* 304 * Allow to release read and write buffers in OpenSSL 1.0.0, 305 * this saves about 34K per idle connection. It is not safe 306 * before OpenSSL 1.0.1h (CVE-2010-5298). 307 */ 308 SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); 309 } 310 311 #endif 312 313 if (nxt_openssl_chain_file(task, ctx, conf, mp, 314 last && bundle->next == NULL) 315 != NXT_OK) 316 { 317 goto fail; 318 } 319 /* 320 key = conf->certificate_key; 321 322 if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) == 0) { 323 nxt_openssl_log_error(task, NXT_LOG_ALERT, 324 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", 325 key); 326 goto fail; 327 } 328 */ 329 330 ciphers = (conf->ciphers != NULL) ? conf->ciphers : "HIGH:!aNULL:!MD5"; 331 332 if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) { 333 nxt_openssl_log_error(task, NXT_LOG_ALERT, 334 "SSL_CTX_set_cipher_list(\"%s\") failed", 335 ciphers); 336 goto fail; 337 } 338 339 #if (NXT_HAVE_OPENSSL_CONF_CMD) 340 if (conf_cmds != NULL 341 && nxt_ssl_conf_commands(task, ctx, conf_cmds, mp) != NXT_OK) 342 { 343 goto fail; 344 } 345 #endif 346 347 SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 348 349 if (conf->ca_certificate != NULL) { 350 351 /* TODO: verify callback */ 352 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); 353 354 /* TODO: verify depth */ 355 SSL_CTX_set_verify_depth(ctx, 1); 356 357 ca_certificate = conf->ca_certificate; 358 359 if (SSL_CTX_load_verify_locations(ctx, ca_certificate, NULL) == 0) { 360 nxt_openssl_log_error(task, NXT_LOG_ALERT, 361 "SSL_CTX_load_verify_locations(\"%s\") failed", 362 ca_certificate); 363 goto fail; 364 } 365 366 list = SSL_load_client_CA_file(ca_certificate); 367 368 if (list == NULL) { 369 nxt_openssl_log_error(task, NXT_LOG_ALERT, 370 "SSL_load_client_CA_file(\"%s\") failed", 371 ca_certificate); 372 goto fail; 373 } 374 375 /* 376 * SSL_load_client_CA_file() in OpenSSL prior to 0.9.7h and 377 * 0.9.8 versions always leaves an error in the error queue. 378 */ 379 ERR_clear_error(); 380 381 SSL_CTX_set_client_CA_list(ctx, list); 382 } 383 384 if (last) { 385 conf->conn_init = nxt_openssl_conn_init; 386 387 if (bundle->next != NULL) { 388 SSL_CTX_set_tlsext_servername_callback(ctx, nxt_openssl_servername); 389 } 390 } 391 392 return NXT_OK; 393 394 fail: 395 396 SSL_CTX_free(ctx); 397 398 #if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \ 399 && OPENSSL_VERSION_NUMBER < 0x1010101fL) 400 RAND_keep_random_devices_open(0); 401 #endif 402 403 return NXT_ERROR; 404 } 405 406 407 static nxt_int_t 408 nxt_openssl_chain_file(nxt_task_t *task, SSL_CTX *ctx, nxt_tls_conf_t *conf, 409 nxt_mp_t *mp, nxt_bool_t single) 410 { 411 BIO *bio; 412 X509 *cert, *ca; 413 long reason; 414 EVP_PKEY *key; 415 nxt_int_t ret; 416 nxt_tls_bundle_conf_t *bundle; 417 418 ret = NXT_ERROR; 419 cert = NULL; 420 421 bio = BIO_new(BIO_s_fd()); 422 if (bio == NULL) { 423 goto end; 424 } 425 426 bundle = conf->bundle; 427 428 BIO_set_fd(bio, bundle->chain_file, BIO_CLOSE); 429 430 cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); 431 if (cert == NULL) { 432 goto end; 433 } 434 435 if (SSL_CTX_use_certificate(ctx, cert) != 1) { 436 goto end; 437 } 438 439 if (!single && nxt_openssl_cert_get_names(task, cert, conf, mp) != NXT_OK) { 440 goto clean; 441 } 442 443 for ( ;; ) { 444 ca = PEM_read_bio_X509(bio, NULL, NULL, NULL); 445 446 if (ca == NULL) { 447 reason = ERR_GET_REASON(ERR_peek_last_error()); 448 if (reason != PEM_R_NO_START_LINE) { 449 goto end; 450 } 451 452 ERR_clear_error(); 453 break; 454 } 455 456 /* 457 * Note that ca isn't freed if it was successfully added to the chain, 458 * while the main certificate needs a X509_free() call, since 459 * its reference count is increased by SSL_CTX_use_certificate(). 460 */ 461 #ifdef SSL_CTX_add0_chain_cert 462 if (SSL_CTX_add0_chain_cert(ctx, ca) != 1) { 463 #else 464 if (SSL_CTX_add_extra_chain_cert(ctx, ca) != 1) { 465 #endif 466 X509_free(ca); 467 goto end; 468 } 469 } 470 471 if (BIO_reset(bio) != 0) { 472 goto end; 473 } 474 475 key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); 476 if (key == NULL) { 477 goto end; 478 } 479 480 if (SSL_CTX_use_PrivateKey(ctx, key) == 1) { 481 ret = NXT_OK; 482 } 483 484 EVP_PKEY_free(key); 485 486 end: 487 488 if (ret != NXT_OK) { 489 nxt_openssl_log_error(task, NXT_LOG_ALERT, 490 "nxt_openssl_chain_file() failed"); 491 } 492 493 clean: 494 495 BIO_free(bio); 496 X509_free(cert); 497 498 return ret; 499 } 500 501 502 #if (NXT_HAVE_OPENSSL_CONF_CMD) 503 504 static nxt_int_t 505 nxt_ssl_conf_commands(nxt_task_t *task, SSL_CTX *ctx, nxt_conf_value_t *conf, 506 nxt_mp_t *mp) 507 { 508 int ret; 509 char *zcmd, *zvalue; 510 uint32_t index; 511 nxt_str_t cmd, value; 512 SSL_CONF_CTX *cctx; 513 nxt_conf_value_t *member; 514 515 cctx = SSL_CONF_CTX_new(); 516 if (nxt_slow_path(cctx == NULL)) { 517 nxt_openssl_log_error(task, NXT_LOG_ALERT, 518 "SSL_CONF_CTX_new() failed"); 519 return NXT_ERROR; 520 } 521 522 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE 523 | SSL_CONF_FLAG_SERVER 524 | SSL_CONF_FLAG_CERTIFICATE 525 | SSL_CONF_FLAG_SHOW_ERRORS); 526 527 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); 528 529 index = 0; 530 531 for ( ;; ) { 532 member = nxt_conf_next_object_member(conf, &cmd, &index); 533 if (nxt_slow_path(member == NULL)) { 534 break; 535 } 536 537 nxt_conf_get_string(member, &value); 538 539 zcmd = nxt_str_cstrz(mp, &cmd); 540 zvalue = nxt_str_cstrz(mp, &value); 541 542 if (nxt_slow_path(zcmd == NULL || zvalue == NULL)) { 543 goto fail; 544 } 545 546 ret = SSL_CONF_cmd(cctx, zcmd, zvalue); 547 if (ret == -2) { 548 nxt_openssl_log_error(task, NXT_LOG_ERR, 549 "unknown command \"%s\" in " 550 "\"conf_commands\" option", zcmd); 551 goto fail; 552 } 553 554 if (ret <= 0) { 555 nxt_openssl_log_error(task, NXT_LOG_ERR, 556 "invalid value \"%s\" for command \"%s\" " 557 "in \"conf_commands\" option", 558 zvalue, zcmd); 559 goto fail; 560 } 561 562 nxt_debug(task, "SSL_CONF_cmd(\"%s\", \"%s\")", zcmd, zvalue); 563 } 564 565 if (SSL_CONF_CTX_finish(cctx) != 1) { 566 nxt_openssl_log_error(task, NXT_LOG_ALERT, 567 "SSL_CONF_finish() failed"); 568 goto fail; 569 } 570 571 SSL_CONF_CTX_free(cctx); 572 573 return NXT_OK; 574 575 fail: 576 577 SSL_CONF_CTX_free(cctx); 578 579 return NXT_ERROR; 580 } 581 582 #endif 583 584 585 static nxt_uint_t 586 nxt_openssl_cert_get_names(nxt_task_t *task, X509 *cert, nxt_tls_conf_t *conf, 587 nxt_mp_t *mp) 588 { 589 int len; 590 nxt_str_t domain, str; 591 X509_NAME *x509_name; 592 nxt_uint_t i, n; 593 GENERAL_NAME *name; 594 nxt_tls_bundle_conf_t *bundle; 595 STACK_OF(GENERAL_NAME) *alt_names; 596 nxt_tls_bundle_hash_item_t *item; 597 598 bundle = conf->bundle; 599 600 alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); 601 602 if (alt_names != NULL) { 603 n = sk_GENERAL_NAME_num(alt_names); 604 605 for (i = 0; i != n; i++) { 606 name = sk_GENERAL_NAME_value(alt_names, i); 607 608 if (name->type != GEN_DNS) { 609 continue; 610 } 611 612 str.length = ASN1_STRING_length(name->d.dNSName); 613 #if OPENSSL_VERSION_NUMBER > 0x10100000L 614 str.start = (u_char *) ASN1_STRING_get0_data(name->d.dNSName); 615 #else 616 str.start = ASN1_STRING_data(name->d.dNSName); 617 #endif 618 619 domain.start = nxt_mp_nget(mp, str.length); 620 if (nxt_slow_path(domain.start == NULL)) { 621 goto fail; 622 } 623 624 domain.length = str.length; 625 nxt_memcpy_lowcase(domain.start, str.start, str.length); 626 627 item = nxt_mp_get(mp, sizeof(nxt_tls_bundle_hash_item_t)); 628 if (nxt_slow_path(item == NULL)) { 629 goto fail; 630 } 631 632 item->name = domain; 633 item->bundle = bundle; 634 635 if (nxt_openssl_bundle_hash_insert(task, &conf->bundle_hash, 636 item, mp) 637 == NXT_ERROR) 638 { 639 goto fail; 640 } 641 } 642 643 sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free); 644 645 } else { 646 x509_name = X509_get_subject_name(cert); 647 len = X509_NAME_get_text_by_NID(x509_name, NID_commonName, 648 NULL, 0); 649 if (len <= 0) { 650 nxt_log(task, NXT_LOG_WARN, "certificate \"%V\" has neither " 651 "Subject Alternative Name nor Common Name", &bundle->name); 652 return NXT_OK; 653 } 654 655 domain.start = nxt_mp_nget(mp, len + 1); 656 if (nxt_slow_path(domain.start == NULL)) { 657 return NXT_ERROR; 658 } 659 660 domain.length = X509_NAME_get_text_by_NID(x509_name, NID_commonName, 661 (char *) domain.start, 662 len + 1); 663 nxt_memcpy_lowcase(domain.start, domain.start, domain.length); 664 665 item = nxt_mp_get(mp, sizeof(nxt_tls_bundle_hash_item_t)); 666 if (nxt_slow_path(item == NULL)) { 667 return NXT_ERROR; 668 } 669 670 item->name = domain; 671 item->bundle = bundle; 672 673 if (nxt_openssl_bundle_hash_insert(task, &conf->bundle_hash, item, 674 mp) 675 == NXT_ERROR) 676 { 677 return NXT_ERROR; 678 } 679 } 680 681 return NXT_OK; 682 683 fail: 684 685 sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free); 686 687 return NXT_ERROR; 688 } 689 690 691 static const nxt_lvlhsh_proto_t nxt_openssl_bundle_hash_proto 692 nxt_aligned(64) = 693 { 694 NXT_LVLHSH_DEFAULT, 695 nxt_openssl_bundle_hash_test, 696 nxt_mp_lvlhsh_alloc, 697 nxt_mp_lvlhsh_free, 698 }; 699 700 701 static nxt_int_t 702 nxt_openssl_bundle_hash_test(nxt_lvlhsh_query_t *lhq, void *data) 703 { 704 nxt_tls_bundle_hash_item_t *item; 705 706 item = data; 707 708 return nxt_strstr_eq(&lhq->key, &item->name) ? NXT_OK : NXT_DECLINED; 709 } 710 711 712 static nxt_int_t 713 nxt_openssl_bundle_hash_insert(nxt_task_t *task, nxt_lvlhsh_t *lvlhsh, 714 nxt_tls_bundle_hash_item_t *item, nxt_mp_t *mp) 715 { 716 nxt_str_t str; 717 nxt_int_t ret; 718 nxt_lvlhsh_query_t lhq; 719 nxt_tls_bundle_hash_item_t *old; 720 721 str = item->name; 722 723 if (item->name.start[0] == '*') { 724 item->name.start++; 725 item->name.length--; 726 727 if (item->name.length == 0 || item->name.start[0] != '.') { 728 nxt_log(task, NXT_LOG_WARN, "ignored invalid name \"%V\" " 729 "in certificate \"%V\": missing \".\" " 730 "after wildcard symbol", &str, &item->bundle->name); 731 return NXT_OK; 732 } 733 } 734 735 lhq.pool = mp; 736 lhq.key = item->name; 737 lhq.value = item; 738 lhq.proto = &nxt_openssl_bundle_hash_proto; 739 lhq.replace = 0; 740 lhq.key_hash = nxt_murmur_hash2(item->name.start, item->name.length); 741 742 ret = nxt_lvlhsh_insert(lvlhsh, &lhq); 743 if (nxt_fast_path(ret == NXT_OK)) { 744 nxt_debug(task, "name \"%V\" for certificate \"%V\" is inserted", 745 &str, &item->bundle->name); 746 return NXT_OK; 747 } 748 749 if (nxt_fast_path(ret == NXT_DECLINED)) { 750 old = lhq.value; 751 if (old->bundle != item->bundle) { 752 nxt_log(task, NXT_LOG_WARN, "ignored duplicate name \"%V\" " 753 "in certificate \"%V\", identical name appears in \"%V\"", 754 &str, &old->bundle->name, &item->bundle->name); 755 756 old->bundle = item->bundle; 757 } 758 759 return NXT_OK; 760 } 761 762 return NXT_ERROR; 763 } 764 765 766 static nxt_int_t 767 nxt_openssl_servername(SSL *s, int *ad, void *arg) 768 { 769 nxt_str_t str; 770 nxt_uint_t i; 771 nxt_conn_t *c; 772 const char *servername; 773 nxt_tls_conf_t *conf; 774 nxt_openssl_conn_t *tls; 775 nxt_tls_bundle_conf_t *bundle; 776 777 c = SSL_get_ex_data(s, nxt_openssl_connection_index); 778 779 if (nxt_slow_path(c == NULL)) { 780 nxt_thread_log_alert("SSL_get_ex_data() failed"); 781 return SSL_TLSEXT_ERR_ALERT_FATAL; 782 } 783 784 servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 785 if (nxt_slow_path(servername == NULL)) { 786 nxt_log(c->socket.task, NXT_LOG_ALERT, "SSL_get_servername() returned " 787 "NULL in server name callback"); 788 return SSL_TLSEXT_ERR_ALERT_FATAL; 789 } 790 791 str.length = nxt_strlen(servername); 792 if (str.length == 0) { 793 nxt_debug(c->socket.task, "client sent zero-length server name"); 794 goto done; 795 } 796 797 if (servername[0] == '.') { 798 nxt_debug(c->socket.task, "ignored the server name \"%s\": " 799 "leading \".\"", servername); 800 goto done; 801 } 802 803 nxt_debug(c->socket.task, "tls with servername \"%s\"", servername); 804 805 str.start = nxt_mp_nget(c->mem_pool, str.length); 806 if (nxt_slow_path(str.start == NULL)) { 807 return SSL_TLSEXT_ERR_ALERT_FATAL; 808 } 809 810 nxt_memcpy_lowcase(str.start, (const u_char *) servername, str.length); 811 812 tls = c->u.tls; 813 conf = tls->conf; 814 815 bundle = nxt_openssl_find_ctx(conf, &str); 816 817 if (bundle == NULL) { 818 for (i = 1; i < str.length; i++) { 819 if (str.start[i] == '.') { 820 str.start += i; 821 str.length -= i; 822 823 bundle = nxt_openssl_find_ctx(conf, &str); 824 break; 825 } 826 } 827 } 828 829 if (bundle != NULL) { 830 nxt_debug(c->socket.task, "new tls context found for \"%V\": \"%V\" " 831 "(old: \"%V\")", &str, &bundle->name, 832 &conf->bundle->name); 833 834 if (bundle != conf->bundle) { 835 if (SSL_set_SSL_CTX(s, bundle->ctx) == NULL) { 836 nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT, 837 "SSL_set_SSL_CTX() failed"); 838 839 return SSL_TLSEXT_ERR_ALERT_FATAL; 840 } 841 } 842 } 843 844 done: 845 846 return SSL_TLSEXT_ERR_OK; 847 } 848 849 850 static nxt_tls_bundle_conf_t * 851 nxt_openssl_find_ctx(nxt_tls_conf_t *conf, nxt_str_t *sn) 852 { 853 nxt_int_t ret; 854 nxt_lvlhsh_query_t lhq; 855 nxt_tls_bundle_hash_item_t *item; 856 857 lhq.key_hash = nxt_murmur_hash2(sn->start, sn->length); 858 lhq.key = *sn; 859 lhq.proto = &nxt_openssl_bundle_hash_proto; 860 861 ret = nxt_lvlhsh_find(&conf->bundle_hash, &lhq); 862 if (ret != NXT_OK) { 863 return NULL; 864 } 865 866 item = lhq.value; 867 868 return item->bundle; 869 } 870 871 872 static void 873 nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf) 874 { 875 nxt_tls_bundle_conf_t *bundle; 876 877 bundle = conf->bundle; 878 nxt_assert(bundle != NULL); 879 880 do { 881 SSL_CTX_free(bundle->ctx); 882 bundle = bundle->next; 883 } while (bundle != NULL); 884 885 #if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \ 886 && OPENSSL_VERSION_NUMBER < 0x1010101fL) 887 RAND_keep_random_devices_open(0); 888 #endif 889 } 890 891 892 static void 893 nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf, nxt_conn_t *c) 894 { 895 int ret; 896 SSL *s; 897 SSL_CTX *ctx; 898 nxt_openssl_conn_t *tls; 899 900 nxt_log_debug(c->socket.log, "openssl conn init"); 901 902 tls = nxt_mp_zget(c->mem_pool, sizeof(nxt_openssl_conn_t)); 903 if (tls == NULL) { 904 goto fail; 905 } 906 907 c->u.tls = tls; 908 nxt_buf_mem_set_size(&tls->buffer, conf->buffer_size); 909 910 ctx = conf->bundle->ctx; 911 912 s = SSL_new(ctx); 913 if (s == NULL) { 914 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_new() failed"); 915 goto fail; 916 } 917 918 tls->session = s; 919 /* To pass TLS config to the nxt_openssl_servername() callback. */ 920 tls->conf = conf; 921 tls->conn = c; 922 923 ret = SSL_set_fd(s, c->socket.fd); 924 925 if (ret == 0) { 926 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_fd(%d) failed", 927 c->socket.fd); 928 goto fail; 929 } 930 931 SSL_set_accept_state(s); 932 933 if (SSL_set_ex_data(s, nxt_openssl_connection_index, c) == 0) { 934 nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_ex_data() failed"); 935 goto fail; 936 } 937 938 c->io = &nxt_openssl_conn_io; 939 c->sendfile = NXT_CONN_SENDFILE_OFF; 940 941 nxt_openssl_conn_handshake(task, c, c->socket.data); 942 943 return; 944 945 fail: 946 947 nxt_work_queue_add(c->read_work_queue, c->read_state->error_handler, 948 task, c, c->socket.data); 949 } 950 951 952 nxt_inline void 953 nxt_openssl_conn_free(nxt_task_t *task, nxt_conn_t *c) 954 { 955 nxt_openssl_conn_t *tls; 956 957 nxt_debug(task, "openssl conn free"); 958 959 tls = c->u.tls; 960 961 if (tls != NULL) { 962 c->u.tls = NULL; 963 nxt_free(tls->buffer.start); 964 SSL_free(tls->session); 965 } 966 } 967 968 969 static void 970 nxt_openssl_conn_handshake(nxt_task_t *task, void *obj, void *data) 971 { 972 int ret; 973 nxt_int_t n; 974 nxt_err_t err; 975 nxt_conn_t *c; 976 nxt_work_queue_t *wq; 977 nxt_work_handler_t handler; 978 nxt_openssl_conn_t *tls; 979 const nxt_conn_state_t *state; 980 981 c = obj; 982 983 nxt_debug(task, "openssl conn handshake fd:%d", c->socket.fd); 984 985 if (c->socket.error != 0) { 986 return; 987 } 988 989 tls = c->u.tls; 990 991 if (tls == NULL) { 992 return; 993 } 994 995 nxt_debug(task, "openssl conn handshake: %d times", tls->times); 996 997 /* "tls->times == 1" is suitable to run SSL_do_handshake() in job. */ 998 999 ret = SSL_do_handshake(tls->session); 1000 1001 err = (ret <= 0) ? nxt_socket_errno : 0; 1002 1003 nxt_thread_time_debug_update(task->thread); 1004 1005 nxt_debug(task, "SSL_do_handshake(%d): %d err:%d", c->socket.fd, ret, err); 1006 1007 state = (c->read_state != NULL) ? c->read_state : c->write_state; 1008 1009 if (ret > 0) { 1010 /* ret == 1, the handshake was successfully completed. */ 1011 tls->handshake = 1; 1012 1013 if (c->read_state != NULL) { 1014 if (state->io_read_handler != NULL || c->read != NULL) { 1015 nxt_conn_read(task->thread->engine, c); 1016 return; 1017 } 1018 1019 } else { 1020 if (c->write != NULL) { 1021 nxt_conn_write(task->thread->engine, c); 1022 return; 1023 } 1024 } 1025 1026 handler = state->ready_handler; 1027 1028 } else { 1029 c->socket.read_handler = nxt_openssl_conn_handshake; 1030 c->socket.write_handler = nxt_openssl_conn_handshake; 1031 1032 n = nxt_openssl_conn_test_error(task, c, ret, err, 1033 NXT_OPENSSL_HANDSHAKE); 1034 switch (n) { 1035 1036 case NXT_AGAIN: 1037 if (tls->ssl_error == SSL_ERROR_WANT_READ && tls->times < 2) { 1038 tls->times++; 1039 } 1040 1041 return; 1042 1043 case 0: 1044 handler = state->close_handler; 1045 break; 1046 1047 default: 1048 case NXT_ERROR: 1049 nxt_openssl_conn_error(task, err, "SSL_do_handshake(%d) failed", 1050 c->socket.fd); 1051 1052 handler = state->error_handler; 1053 break; 1054 } 1055 } 1056 1057 wq = (c->read_state != NULL) ? c->read_work_queue : c->write_work_queue; 1058 1059 nxt_work_queue_add(wq, handler, task, c, data); 1060 } 1061 1062 1063 static ssize_t 1064 nxt_openssl_conn_io_recvbuf(nxt_conn_t *c, nxt_buf_t *b) 1065 { 1066 int ret; 1067 size_t size; 1068 nxt_int_t n; 1069 nxt_err_t err; 1070 nxt_openssl_conn_t *tls; 1071 1072 tls = c->u.tls; 1073 size = b->mem.end - b->mem.free; 1074 1075 ret = SSL_read(tls->session, b->mem.free, size); 1076 1077 err = (ret <= 0) ? nxt_socket_errno : 0; 1078 1079 nxt_debug(c->socket.task, "SSL_read(%d, %p, %uz): %d err:%d", 1080 c->socket.fd, b->mem.free, size, ret, err); 1081 1082 if (ret > 0) { 1083 return ret; 1084 } 1085 1086 n = nxt_openssl_conn_test_error(c->socket.task, c, ret, err, 1087 NXT_OPENSSL_READ); 1088 if (n == NXT_ERROR) { 1089 nxt_openssl_conn_error(c->socket.task, err, 1090 "SSL_read(%d, %p, %uz) failed", 1091 c->socket.fd, b->mem.free, size); 1092 } 1093 1094 return n; 1095 } 1096 1097 1098 static ssize_t 1099 nxt_openssl_conn_io_sendbuf(nxt_task_t *task, nxt_sendbuf_t *sb) 1100 { 1101 nxt_uint_t niov; 1102 struct iovec iov; 1103 1104 niov = nxt_sendbuf_mem_coalesce0(task, sb, &iov, 1); 1105 1106 if (niov == 0 && sb->sync) { 1107 return 0; 1108 } 1109 1110 return nxt_openssl_conn_io_send(task, sb, iov.iov_base, iov.iov_len); 1111 } 1112 1113 1114 static ssize_t 1115 nxt_openssl_conn_io_send(nxt_task_t *task, nxt_sendbuf_t *sb, void *buf, 1116 size_t size) 1117 { 1118 int ret; 1119 nxt_err_t err; 1120 nxt_int_t n; 1121 nxt_conn_t *c; 1122 nxt_openssl_conn_t *tls; 1123 1124 tls = sb->tls; 1125 1126 ret = SSL_write(tls->session, buf, size); 1127 1128 err = (ret <= 0) ? nxt_socket_errno : 0; 1129 1130 nxt_debug(task, "SSL_write(%d, %p, %uz): %d err:%d", 1131 sb->socket, buf, size, ret, err); 1132 1133 if (ret > 0) { 1134 return ret; 1135 } 1136 1137 c = tls->conn; 1138 c->socket.write_ready = sb->ready; 1139 1140 n = nxt_openssl_conn_test_error(task, c, ret, err, NXT_OPENSSL_WRITE); 1141 1142 sb->ready = c->socket.write_ready; 1143 1144 if (n == NXT_ERROR) { 1145 sb->error = c->socket.error; 1146 nxt_openssl_conn_error(task, err, "SSL_write(%d, %p, %uz) failed", 1147 sb->socket, buf, size); 1148 } 1149 1150 return n; 1151 } 1152 1153 1154 static void 1155 nxt_openssl_conn_io_shutdown(nxt_task_t *task, void *obj, void *data) 1156 { 1157 int ret, mode; 1158 SSL *s; 1159 nxt_err_t err; 1160 nxt_int_t n; 1161 nxt_bool_t quiet, once; 1162 nxt_conn_t *c; 1163 nxt_openssl_conn_t *tls; 1164 nxt_work_handler_t handler; 1165 1166 c = obj; 1167 1168 nxt_debug(task, "openssl conn shutdown fd:%d", c->socket.fd); 1169 1170 c->read_state = NULL; 1171 tls = c->u.tls; 1172 1173 if (tls == NULL) { 1174 return; 1175 } 1176 1177 s = tls->session; 1178 1179 if (s == NULL || !tls->handshake) { 1180 handler = c->write_state->ready_handler; 1181 goto done; 1182 } 1183 1184 mode = SSL_get_shutdown(s); 1185 1186 if (c->socket.timedout || c->socket.error != 0) { 1187 quiet = 1; 1188 1189 } else if (c->socket.closed && !(mode & SSL_RECEIVED_SHUTDOWN)) { 1190 quiet = 1; 1191 1192 } else { 1193 quiet = 0; 1194 } 1195 1196 SSL_set_quiet_shutdown(s, quiet); 1197 1198 if (tls->conf->no_wait_shutdown) { 1199 mode |= SSL_RECEIVED_SHUTDOWN; 1200 } 1201 1202 once = 1; 1203 1204 for ( ;; ) { 1205 SSL_set_shutdown(s, mode); 1206 1207 ret = SSL_shutdown(s); 1208 1209 err = (ret <= 0) ? nxt_socket_errno : 0; 1210 1211 nxt_debug(task, "SSL_shutdown(%d, %d, %b): %d err:%d", 1212 c->socket.fd, mode, quiet, ret, err); 1213 1214 if (ret > 0) { 1215 /* ret == 1, the shutdown was successfully completed. */ 1216 handler = c->write_state->ready_handler; 1217 goto done; 1218 } 1219 1220 if (ret == 0) { 1221 /* 1222 * If SSL_shutdown() returns 0 then it should be called 1223 * again. The second SSL_shutdown() call should return 1224 * -1/SSL_ERROR_WANT_READ or -1/SSL_ERROR_WANT_WRITE. 1225 * OpenSSL prior to 0.9.8m version however never returns 1226 * -1 at all. Fortunately, OpenSSL preserves internally 1227 * correct status available via SSL_get_error(-1). 1228 */ 1229 if (once) { 1230 once = 0; 1231 mode = SSL_get_shutdown(s); 1232 continue; 1233 } 1234 1235 ret = -1; 1236 } 1237 1238 /* ret == -1 */ 1239 1240 break; 1241 } 1242 1243 c->socket.read_handler = nxt_openssl_conn_io_shutdown; 1244 c->socket.write_handler = nxt_openssl_conn_io_shutdown; 1245 c->socket.error_handler = c->write_state->error_handler; 1246 1247 n = nxt_openssl_conn_test_error(task, c, ret, err, NXT_OPENSSL_SHUTDOWN); 1248 1249 switch (n) { 1250 1251 case 0: 1252 handler = c->write_state->close_handler; 1253 break; 1254 1255 case NXT_AGAIN: 1256 c->write_timer.handler = nxt_openssl_conn_io_shutdown_timeout; 1257 nxt_timer_add(task->thread->engine, &c->write_timer, 5000); 1258 return; 1259 1260 default: 1261 case NXT_ERROR: 1262 nxt_openssl_conn_error(task, err, "SSL_shutdown(%d) failed", 1263 c->socket.fd); 1264 handler = c->write_state->error_handler; 1265 } 1266 1267 done: 1268 1269 nxt_openssl_conn_free(task, c); 1270 1271 nxt_work_queue_add(c->write_work_queue, handler, task, c, data); 1272 } 1273 1274 1275 static nxt_int_t 1276 nxt_openssl_conn_test_error(nxt_task_t *task, nxt_conn_t *c, int ret, 1277 nxt_err_t sys_err, nxt_openssl_io_t io) 1278 { 1279 u_long lib_err; 1280 nxt_openssl_conn_t *tls; 1281 1282 tls = c->u.tls; 1283 1284 tls->ssl_error = SSL_get_error(tls->session, ret); 1285 1286 nxt_debug(task, "SSL_get_error(): %d", tls->ssl_error); 1287 1288 switch (tls->ssl_error) { 1289 1290 case SSL_ERROR_WANT_READ: 1291 c->socket.read_ready = 0; 1292 1293 if (io != NXT_OPENSSL_READ) { 1294 nxt_fd_event_block_write(task->thread->engine, &c->socket); 1295 1296 if (nxt_fd_event_is_disabled(c->socket.read)) { 1297 nxt_fd_event_enable_read(task->thread->engine, &c->socket); 1298 } 1299 } 1300 1301 return NXT_AGAIN; 1302 1303 case SSL_ERROR_WANT_WRITE: 1304 c->socket.write_ready = 0; 1305 1306 if (io != NXT_OPENSSL_WRITE) { 1307 nxt_fd_event_block_read(task->thread->engine, &c->socket); 1308 1309 if (nxt_fd_event_is_disabled(c->socket.write)) { 1310 nxt_fd_event_enable_write(task->thread->engine, &c->socket); 1311 } 1312 } 1313 1314 return NXT_AGAIN; 1315 1316 case SSL_ERROR_SYSCALL: 1317 lib_err = ERR_peek_error(); 1318 1319 nxt_debug(task, "ERR_peek_error(): %l", lib_err); 1320 1321 if (sys_err != 0 || lib_err != 0) { 1322 c->socket.error = sys_err; 1323 return NXT_ERROR; 1324 } 1325 1326 /* A connection was just closed. */ 1327 c->socket.closed = 1; 1328 return 0; 1329 1330 case SSL_ERROR_ZERO_RETURN: 1331 /* A "close notify" alert. */ 1332 return 0; 1333 1334 default: /* SSL_ERROR_SSL, etc. */ 1335 c->socket.error = 1000; /* Nonexistent errno code. */ 1336 return NXT_ERROR; 1337 } 1338 } 1339 1340 1341 static void 1342 nxt_openssl_conn_io_shutdown_timeout(nxt_task_t *task, void *obj, void *data) 1343 { 1344 nxt_conn_t *c; 1345 nxt_timer_t *timer; 1346 1347 timer = obj; 1348 1349 nxt_debug(task, "openssl conn shutdown timeout"); 1350 1351 c = nxt_write_timer_conn(timer); 1352 1353 c->socket.timedout = 1; 1354 nxt_openssl_conn_io_shutdown(task, c, NULL); 1355 } 1356 1357 1358 static void nxt_cdecl 1359 nxt_openssl_conn_error(nxt_task_t *task, nxt_err_t err, const char *fmt, ...) 1360 { 1361 u_char *p, *end; 1362 va_list args; 1363 nxt_uint_t level; 1364 u_char msg[NXT_MAX_ERROR_STR]; 1365 1366 level = nxt_openssl_log_error_level(err); 1367 1368 if (nxt_log_level_enough(task->log, level)) { 1369 1370 end = msg + sizeof(msg); 1371 1372 va_start(args, fmt); 1373 p = nxt_vsprintf(msg, end, fmt, args); 1374 va_end(args); 1375 1376 if (err != 0) { 1377 p = nxt_sprintf(p, end, " %E", err); 1378 } 1379 1380 p = nxt_openssl_copy_error(p, end); 1381 1382 nxt_log(task, level, "%*s", p - msg, msg); 1383 1384 } else { 1385 ERR_clear_error(); 1386 } 1387 } 1388 1389 1390 static nxt_uint_t 1391 nxt_openssl_log_error_level(nxt_err_t err) 1392 { 1393 switch (ERR_GET_REASON(ERR_peek_error())) { 1394 1395 case 0: 1396 return nxt_socket_error_level(err); 1397 1398 case SSL_R_BAD_CHANGE_CIPHER_SPEC: /* 103 */ 1399 case SSL_R_BLOCK_CIPHER_PAD_IS_WRONG: /* 129 */ 1400 case SSL_R_DIGEST_CHECK_FAILED: /* 149 */ 1401 case SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST: /* 151 */ 1402 case SSL_R_EXCESSIVE_MESSAGE_SIZE: /* 152 */ 1403 case SSL_R_LENGTH_MISMATCH: /* 159 */ 1404 #ifdef SSL_R_NO_CIPHERS_PASSED 1405 case SSL_R_NO_CIPHERS_PASSED: /* 182 */ 1406 #endif 1407 case SSL_R_NO_CIPHERS_SPECIFIED: /* 183 */ 1408 case SSL_R_NO_COMPRESSION_SPECIFIED: /* 187 */ 1409 case SSL_R_NO_SHARED_CIPHER: /* 193 */ 1410 case SSL_R_RECORD_LENGTH_MISMATCH: /* 213 */ 1411 #ifdef SSL_R_PARSE_TLSEXT 1412 case SSL_R_PARSE_TLSEXT: /* 227 */ 1413 #endif 1414 case SSL_R_UNEXPECTED_MESSAGE: /* 244 */ 1415 case SSL_R_UNEXPECTED_RECORD: /* 245 */ 1416 case SSL_R_UNKNOWN_ALERT_TYPE: /* 246 */ 1417 case SSL_R_UNKNOWN_PROTOCOL: /* 252 */ 1418 case SSL_R_WRONG_VERSION_NUMBER: /* 267 */ 1419 case SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC: /* 281 */ 1420 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG 1421 case SSL_R_RENEGOTIATE_EXT_TOO_LONG: /* 335 */ 1422 case SSL_R_RENEGOTIATION_ENCODING_ERR: /* 336 */ 1423 case SSL_R_RENEGOTIATION_MISMATCH: /* 337 */ 1424 #endif 1425 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 1426 case SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED: /* 338 */ 1427 #endif 1428 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 1429 case SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING: /* 345 */ 1430 #endif 1431 case 1000:/* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ 1432 case SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE: /* 1010 */ 1433 case SSL_R_SSLV3_ALERT_BAD_RECORD_MAC: /* 1020 */ 1434 case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED: /* 1021 */ 1435 case SSL_R_TLSV1_ALERT_RECORD_OVERFLOW: /* 1022 */ 1436 case SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE: /* 1030 */ 1437 case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE: /* 1040 */ 1438 case SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER: /* 1047 */ 1439 break; 1440 1441 case SSL_R_SSLV3_ALERT_NO_CERTIFICATE: /* 1041 */ 1442 case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE: /* 1042 */ 1443 case SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE: /* 1043 */ 1444 case SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED: /* 1044 */ 1445 case SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED: /* 1045 */ 1446 case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN: /* 1046 */ 1447 case SSL_R_TLSV1_ALERT_UNKNOWN_CA: /* 1048 */ 1448 case SSL_R_TLSV1_ALERT_ACCESS_DENIED: /* 1049 */ 1449 case SSL_R_TLSV1_ALERT_DECODE_ERROR: /* 1050 */ 1450 case SSL_R_TLSV1_ALERT_DECRYPT_ERROR: /* 1051 */ 1451 case SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION: /* 1060 */ 1452 case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION: /* 1070 */ 1453 case SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY: /* 1071 */ 1454 case SSL_R_TLSV1_ALERT_INTERNAL_ERROR: /* 1080 */ 1455 case SSL_R_TLSV1_ALERT_USER_CANCELLED: /* 1090 */ 1456 case SSL_R_TLSV1_ALERT_NO_RENEGOTIATION: /* 1100 */ 1457 return NXT_LOG_ERR; 1458 1459 default: 1460 return NXT_LOG_ALERT; 1461 } 1462 1463 return NXT_LOG_INFO; 1464 } 1465 1466 1467 void nxt_cdecl 1468 nxt_openssl_log_error(nxt_task_t *task, nxt_uint_t level, const char *fmt, ...) 1469 { 1470 u_char *p, *end; 1471 va_list args; 1472 u_char msg[NXT_MAX_ERROR_STR]; 1473 1474 end = msg + sizeof(msg); 1475 1476 va_start(args, fmt); 1477 p = nxt_vsprintf(msg, end, fmt, args); 1478 va_end(args); 1479 1480 p = nxt_openssl_copy_error(p, end); 1481 1482 nxt_log(task, level, "%*s", p - msg, msg); 1483 } 1484 1485 1486 u_char * 1487 nxt_openssl_copy_error(u_char *p, u_char *end) 1488 { 1489 int flags; 1490 u_long err; 1491 nxt_bool_t clear; 1492 const char *data, *delimiter; 1493 1494 err = ERR_peek_error(); 1495 if (err == 0) { 1496 return p; 1497 } 1498 1499 /* Log the most relevant error message ... */ 1500 data = ERR_reason_error_string(err); 1501 1502 p = nxt_sprintf(p, end, " (%d: %s) (OpenSSL: ", ERR_GET_REASON(err), data); 1503 1504 /* 1505 * ... followed by all queued cumbersome OpenSSL error messages 1506 * and drain the error queue. 1507 */ 1508 delimiter = ""; 1509 clear = 0; 1510 1511 for ( ;; ) { 1512 err = ERR_get_error_line_data(NULL, NULL, &data, &flags); 1513 if (err == 0) { 1514 break; 1515 } 1516 1517 p = nxt_sprintf(p, end, "%s", delimiter); 1518 1519 ERR_error_string_n(err, (char *) p, end - p); 1520 1521 while (p < end && *p != '\0') { 1522 p++; 1523 } 1524 1525 if ((flags & ERR_TXT_STRING) != 0) { 1526 p = nxt_sprintf(p, end, ":%s", data); 1527 } 1528 1529 clear |= ((flags & ERR_TXT_MALLOCED) != 0); 1530 1531 delimiter = "; "; 1532 } 1533 1534 /* Deallocate additional data. */ 1535 1536 if (clear) { 1537 ERR_clear_error(); 1538 } 1539 1540 if (p < end) { 1541 *p++ = ')'; 1542 } 1543 1544 return p; 1545 } 1546