nginxtra 1.4.7.9 → 1.6.0.9

data/vendor/nginx/src/event/ngx_event_openssl.h

@@ -29,6 +29,7 @@
 typedef struct {
     SSL_CTX                    *ctx;
     ngx_log_t                  *log;
+    size_t                      buffer_size;
 } ngx_ssl_t;
 
 
@@ -37,6 +38,7 @@ typedef struct {
 
     ngx_int_t                   last;
     ngx_buf_t                  *buf;
+    size_t                      buffer_size;
 
     ngx_connection_handler_pt   handler;
 
@@ -48,6 +50,7 @@ typedef struct {
     unsigned                    buffer:1;
     unsigned                    no_wait_shutdown:1;
     unsigned                    no_send_shutdown:1;
+    unsigned                    handshake_buffer_set:1;
 } ngx_ssl_connection_t;
 
 
@@ -82,6 +85,16 @@ typedef struct {
 } ngx_ssl_session_cache_t;
 
 
+#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
+
+typedef struct {
+    u_char                      name[16];
+    u_char                      aes_key[16];
+    u_char                      hmac_key[16];
+} ngx_ssl_session_ticket_key_t;
+
+#endif
+
 
 #define NGX_SSL_SSLv2    0x0002
 #define NGX_SSL_SSLv3    0x0004
@@ -109,11 +122,14 @@ ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
-RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length);
+RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
+    int key_length);
 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
     ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
+ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
+    ngx_array_t *paths);
 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
     ngx_uint_t flags);
@@ -141,6 +157,8 @@ ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
+ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool,
@@ -171,6 +189,7 @@ void ngx_ssl_cleanup_ctx(void *data);
 extern int  ngx_ssl_connection_index;
 extern int  ngx_ssl_server_conf_index;
 extern int  ngx_ssl_session_cache_index;
+extern int  ngx_ssl_session_ticket_keys_index;
 extern int  ngx_ssl_certificate_index;
 extern int  ngx_ssl_stapling_index;
 

data/vendor/nginx/src/event/ngx_event_openssl_stapling.c

@@ -792,7 +792,6 @@ ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx)
         }
 
         resolve->name = ctx->host;
-        resolve->type = NGX_RESOLVE_A;
         resolve->handler = ngx_ssl_ocsp_resolve_handler;
         resolve->data = ctx;
         resolve->timeout = ctx->resolver_timeout;
@@ -816,13 +815,14 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve)
 {
     ngx_ssl_ocsp_ctx_t *ctx = resolve->data;
 
-    u_char              *p;
-    size_t               len;
-    in_port_t            port;
-    ngx_uint_t           i;
-    struct sockaddr_in  *sin;
+    u_char           *p;
+    size_t            len;
+    in_port_t         port;
+    socklen_t         socklen;
+    ngx_uint_t        i;
+    struct sockaddr  *sockaddr;
 
-    ngx_log_debug0(NGX_LOG_ALERT, ctx->log, 0,
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
                    "ssl ocsp resolve handler");
 
     if (resolve->state) {
@@ -835,15 +835,19 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve)
 
 #if (NGX_DEBUG)
     {
-    in_addr_t   addr;
+    u_char     text[NGX_SOCKADDR_STRLEN];
+    ngx_str_t  addr;
+
+    addr.data = text;
 
     for (i = 0; i < resolve->naddrs; i++) {
-        addr = ntohl(resolve->addrs[i]);
+        addr.len = ngx_sock_ntop(resolve->addrs[i].sockaddr,
+                                 resolve->addrs[i].socklen,
+                                 text, NGX_SOCKADDR_STRLEN, 0);
+
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
+                       "name was resolved to %V", &addr);
 
-        ngx_log_debug4(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
-                       "name was resolved to %ud.%ud.%ud.%ud",
-                       (addr >> 24) & 0xff, (addr >> 16) & 0xff,
-                       (addr >> 8) & 0xff, addr & 0xff);
     }
     }
 #endif
@@ -859,26 +863,34 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve)
 
     for (i = 0; i < resolve->naddrs; i++) {
 
-        sin = ngx_pcalloc(ctx->pool, sizeof(struct sockaddr_in));
-        if (sin == NULL) {
+        socklen = resolve->addrs[i].socklen;
+
+        sockaddr = ngx_palloc(ctx->pool, socklen);
+        if (sockaddr == NULL) {
             goto failed;
         }
 
-        sin->sin_family = AF_INET;
-        sin->sin_port = port;
-        sin->sin_addr.s_addr = resolve->addrs[i];
+        ngx_memcpy(sockaddr, resolve->addrs[i].sockaddr, socklen);
 
-        ctx->addrs[i].sockaddr = (struct sockaddr *) sin;
-        ctx->addrs[i].socklen = sizeof(struct sockaddr_in);
+        switch (sockaddr->sa_family) {
+#if (NGX_HAVE_INET6)
+        case AF_INET6:
+            ((struct sockaddr_in6 *) sockaddr)->sin6_port = port;
+            break;
+#endif
+        default: /* AF_INET */
+            ((struct sockaddr_in *) sockaddr)->sin_port = port;
+        }
 
-        len = NGX_INET_ADDRSTRLEN + sizeof(":65535") - 1;
+        ctx->addrs[i].sockaddr = sockaddr;
+        ctx->addrs[i].socklen = socklen;
 
-        p = ngx_pnalloc(ctx->pool, len);
+        p = ngx_pnalloc(ctx->pool, NGX_SOCKADDR_STRLEN);
         if (p == NULL) {
             goto failed;
         }
 
-        len = ngx_sock_ntop((struct sockaddr *) sin, p, len, 1);
+        len = ngx_sock_ntop(sockaddr, socklen, p, NGX_SOCKADDR_STRLEN, 1);
 
         ctx->addrs[i].name.len = len;
         ctx->addrs[i].name.data = p;

data/vendor/nginx/src/event/ngx_event_pipe.c

@@ -57,7 +57,7 @@ ngx_event_pipe(ngx_event_pipe_t *p, ngx_int_t do_write)
         do_write = 1;
     }
 
-    if (p->upstream->fd != -1) {
+    if (p->upstream->fd != (ngx_socket_t) -1) {
         rev = p->upstream->read;
 
         flags = (rev->eof || rev->error) ? NGX_CLOSE_EVENT : 0;
@@ -74,7 +74,9 @@ ngx_event_pipe(ngx_event_pipe_t *p, ngx_int_t do_write)
         }
     }
 
-    if (p->downstream->fd != -1 && p->downstream->data == p->output_ctx) {
+    if (p->downstream->fd != (ngx_socket_t) -1
+        && p->downstream->data == p->output_ctx)
+    {
         wev = p->downstream->write;
         if (ngx_handle_write_event(wev, p->send_lowat) != NGX_OK) {
             return NGX_ABORT;
@@ -220,8 +222,8 @@ ngx_event_pipe_read_upstream(ngx_event_pipe_t *p)
             {
 
                 /*
-                 * if it is allowed, then save some bufs from r->in
-                 * to a temporary file, and add them to a r->out chain
+                 * if it is allowed, then save some bufs from p->in
+                 * to a temporary file, and add them to a p->out chain
                  */
 
                 rc = ngx_event_pipe_write_chain_to_temp_file(p);
@@ -454,7 +456,7 @@ ngx_event_pipe_write_to_downstream(ngx_event_pipe_t *p)
     size_t             bsize;
     ngx_int_t          rc;
     ngx_uint_t         flush, flushed, prev_last_shadow;
-    ngx_chain_t       *out, **ll, *cl, file;
+    ngx_chain_t       *out, **ll, *cl;
     ngx_connection_t  *downstream;
 
     downstream = p->downstream;
@@ -514,13 +516,10 @@ ngx_event_pipe_write_to_downstream(ngx_event_pipe_t *p)
             }
 
             if (p->cacheable && p->buf_to_file) {
+                ngx_log_debug0(NGX_LOG_DEBUG_EVENT, p->log, 0,
+                               "pipe write chain");
 
-                file.buf = p->buf_to_file;
-                file.next = NULL;
-
-                if (ngx_write_chain_to_temp_file(p->temp_file, &file)
-                    == NGX_ERROR)
-                {
+                if (ngx_event_pipe_write_chain_to_temp_file(p) == NGX_ABORT) {
                     return NGX_ABORT;
                 }
             }
@@ -858,19 +857,13 @@ ngx_event_pipe_copy_input_filter(ngx_event_pipe_t *p, ngx_buf_t *buf)
         return NGX_OK;
     }
 
-    if (p->free) {
-        cl = p->free;
-        b = cl->buf;
-        p->free = cl->next;
-        ngx_free_chain(p->pool, cl);
-
-    } else {
-        b = ngx_alloc_buf(p->pool);
-        if (b == NULL) {
-            return NGX_ERROR;
-        }
+    cl = ngx_chain_get_free_buf(p->pool, &p->free);
+    if (cl == NULL) {
+        return NGX_ERROR;
     }
 
+    b = cl->buf;
+
     ngx_memcpy(b, buf, sizeof(ngx_buf_t));
     b->shadow = buf;
     b->tag = p->tag;
@@ -878,14 +871,6 @@ ngx_event_pipe_copy_input_filter(ngx_event_pipe_t *p, ngx_buf_t *buf)
     b->recycled = 1;
     buf->shadow = b;
 
-    cl = ngx_alloc_chain_link(p->pool);
-    if (cl == NULL) {
-        return NGX_ERROR;
-    }
-
-    cl->buf = b;
-    cl->next = NULL;
-
     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, p->log, 0, "input buf #%d", b->num);
 
     if (p->in) {

data/vendor/nginx/src/http/modules/ngx_http_access_module.c

@@ -26,11 +26,22 @@ typedef struct {
 
 #endif
 
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+typedef struct {
+    ngx_uint_t        deny;      /* unsigned  deny:1; */
+} ngx_http_access_rule_un_t;
+
+#endif
+
 typedef struct {
     ngx_array_t      *rules;     /* array of ngx_http_access_rule_t */
 #if (NGX_HAVE_INET6)
     ngx_array_t      *rules6;    /* array of ngx_http_access_rule6_t */
 #endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+    ngx_array_t      *rules_un;  /* array of ngx_http_access_rule_un_t */
+#endif
 } ngx_http_access_loc_conf_t;
 
 
@@ -41,6 +52,10 @@ static ngx_int_t ngx_http_access_inet(ngx_http_request_t *r,
 static ngx_int_t ngx_http_access_inet6(ngx_http_request_t *r,
     ngx_http_access_loc_conf_t *alcf, u_char *p);
 #endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+static ngx_int_t ngx_http_access_unix(ngx_http_request_t *r,
+    ngx_http_access_loc_conf_t *alcf);
+#endif
 static ngx_int_t ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny);
 static char *ngx_http_access_rule(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf);
@@ -144,6 +159,19 @@ ngx_http_access_handler(ngx_http_request_t *r)
             return ngx_http_access_inet6(r, alcf, p);
         }
 
+        break;
+
+#endif
+
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+    case AF_UNIX:
+        if (alcf->rules_un) {
+            return ngx_http_access_unix(r, alcf);
+        }
+
+        break;
+
 #endif
     }
 
@@ -221,6 +249,29 @@ ngx_http_access_inet6(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf,
 #endif
 
 
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+static ngx_int_t
+ngx_http_access_unix(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf)
+{
+    ngx_uint_t                  i;
+    ngx_http_access_rule_un_t  *rule_un;
+
+    rule_un = alcf->rules_un->elts;
+    for (i = 0; i < alcf->rules_un->nelts; i++) {
+
+        /* TODO: check path */
+        if (1) {
+            return ngx_http_access_found(r, rule_un[i].deny);
+        }
+    }
+
+    return NGX_DECLINED;
+}
+
+#endif
+
+
 static ngx_int_t
 ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny)
 {
@@ -246,13 +297,16 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 {
     ngx_http_access_loc_conf_t *alcf = conf;
 
-    ngx_int_t                 rc;
-    ngx_uint_t                all;
-    ngx_str_t                *value;
-    ngx_cidr_t                cidr;
-    ngx_http_access_rule_t   *rule;
+    ngx_int_t                   rc;
+    ngx_uint_t                  all;
+    ngx_str_t                  *value;
+    ngx_cidr_t                  cidr;
+    ngx_http_access_rule_t     *rule;
 #if (NGX_HAVE_INET6)
-    ngx_http_access_rule6_t  *rule6;
+    ngx_http_access_rule6_t    *rule6;
+#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+    ngx_http_access_rule_un_t  *rule_un;
 #endif
 
     ngx_memzero(&cidr, sizeof(ngx_cidr_t));
@@ -263,7 +317,19 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 
     if (!all) {
 
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+        if (value[1].len == 5 && ngx_strcmp(value[1].data, "unix:") == 0) {
+            cidr.family = AF_UNIX;
+            rc = NGX_OK;
+
+        } else {
+            rc = ngx_ptocidr(&value[1], &cidr);
+        }
+
+#else
         rc = ngx_ptocidr(&value[1], &cidr);
+#endif
 
         if (rc == NGX_ERROR) {
             ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
@@ -277,11 +343,28 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
         }
     }
 
-    switch (cidr.family) {
+    if (cidr.family == AF_INET || all) {
+
+        if (alcf->rules == NULL) {
+            alcf->rules = ngx_array_create(cf->pool, 4,
+                                           sizeof(ngx_http_access_rule_t));
+            if (alcf->rules == NULL) {
+                return NGX_CONF_ERROR;
+            }
+        }
+
+        rule = ngx_array_push(alcf->rules);
+        if (rule == NULL) {
+            return NGX_CONF_ERROR;
+        }
+
+        rule->mask = cidr.u.in.mask;
+        rule->addr = cidr.u.in.addr;
+        rule->deny = (value[0].data[0] == 'd') ? 1 : 0;
+    }
 
 #if (NGX_HAVE_INET6)
-    case AF_INET6:
-    case 0: /* all */
+    if (cidr.family == AF_INET6 || all) {
 
         if (alcf->rules6 == NULL) {
             alcf->rules6 = ngx_array_create(cf->pool, 4,
@@ -299,33 +382,28 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
         rule6->mask = cidr.u.in6.mask;
         rule6->addr = cidr.u.in6.addr;
         rule6->deny = (value[0].data[0] == 'd') ? 1 : 0;
-
-        if (!all) {
-            break;
-        }
-
-        /* "all" passes through */
+    }
 #endif
 
-    default: /* AF_INET */
+#if (NGX_HAVE_UNIX_DOMAIN)
+    if (cidr.family == AF_UNIX || all) {
 
-        if (alcf->rules == NULL) {
-            alcf->rules = ngx_array_create(cf->pool, 4,
-                                           sizeof(ngx_http_access_rule_t));
-            if (alcf->rules == NULL) {
+        if (alcf->rules_un == NULL) {
+            alcf->rules_un = ngx_array_create(cf->pool, 1,
+                                            sizeof(ngx_http_access_rule_un_t));
+            if (alcf->rules_un == NULL) {
                 return NGX_CONF_ERROR;
             }
         }
 
-        rule = ngx_array_push(alcf->rules);
-        if (rule == NULL) {
+        rule_un = ngx_array_push(alcf->rules_un);
+        if (rule_un == NULL) {
             return NGX_CONF_ERROR;
         }
 
-        rule->mask = cidr.u.in.mask;
-        rule->addr = cidr.u.in.addr;
-        rule->deny = (value[0].data[0] == 'd') ? 1 : 0;
+        rule_un->deny = (value[0].data[0] == 'd') ? 1 : 0;
     }
+#endif
 
     return NGX_CONF_OK;
 }
@@ -351,20 +429,22 @@ ngx_http_access_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_http_access_loc_conf_t  *prev = parent;
     ngx_http_access_loc_conf_t  *conf = child;
 
+    if (conf->rules == NULL
 #if (NGX_HAVE_INET6)
-
-    if (conf->rules == NULL && conf->rules6 == NULL) {
+        && conf->rules6 == NULL
+#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+        && conf->rules_un == NULL
+#endif
+    ) {
         conf->rules = prev->rules;
+#if (NGX_HAVE_INET6)
         conf->rules6 = prev->rules6;
-    }
-
-#else
-
-    if (conf->rules == NULL) {
-        conf->rules = prev->rules;
-    }
-
 #endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+        conf->rules_un = prev->rules_un;
+#endif
+    }
 
     return NGX_CONF_OK;
 }