nginxtra 1.4.7.9 → 1.6.0.9

Sign up to get free protection for your applications and to get access to all the features.
Files changed (169) hide show
  1. checksums.yaml +4 -4
  2. data/bin/nginxtra +1 -1
  3. data/bin/nginxtra_rails +1 -1
  4. data/lib/nginxtra/version.rb +1 -1
  5. data/vendor/nginx/CHANGES +286 -19
  6. data/vendor/nginx/CHANGES.ru +296 -22
  7. data/vendor/nginx/auto/cc/clang +4 -3
  8. data/vendor/nginx/auto/cc/conf +23 -0
  9. data/vendor/nginx/auto/cc/msvc +1 -0
  10. data/vendor/nginx/auto/cc/name +1 -1
  11. data/vendor/nginx/auto/cc/owc +4 -4
  12. data/vendor/nginx/auto/cc/sunc +1 -1
  13. data/vendor/nginx/auto/endianness +2 -2
  14. data/vendor/nginx/auto/feature +1 -1
  15. data/vendor/nginx/auto/include +1 -1
  16. data/vendor/nginx/auto/lib/libatomic/make +3 -1
  17. data/vendor/nginx/auto/lib/openssl/conf +4 -0
  18. data/vendor/nginx/auto/lib/openssl/make +1 -1
  19. data/vendor/nginx/auto/lib/pcre/conf +5 -0
  20. data/vendor/nginx/auto/lib/pcre/make +11 -11
  21. data/vendor/nginx/auto/lib/pcre/makefile.bcc +4 -3
  22. data/vendor/nginx/auto/lib/pcre/makefile.msvc +2 -1
  23. data/vendor/nginx/auto/lib/pcre/makefile.owc +2 -1
  24. data/vendor/nginx/auto/lib/perl/make +1 -0
  25. data/vendor/nginx/auto/lib/test +1 -1
  26. data/vendor/nginx/auto/lib/zlib/make +22 -1
  27. data/vendor/nginx/auto/modules +8 -0
  28. data/vendor/nginx/auto/options +3 -0
  29. data/vendor/nginx/auto/os/darwin +1 -1
  30. data/vendor/nginx/auto/os/linux +32 -0
  31. data/vendor/nginx/auto/os/win32 +12 -1
  32. data/vendor/nginx/auto/sources +8 -2
  33. data/vendor/nginx/auto/types/sizeof +1 -1
  34. data/vendor/nginx/auto/types/typedef +1 -1
  35. data/vendor/nginx/auto/types/uintptr_t +1 -1
  36. data/vendor/nginx/auto/unix +13 -1
  37. data/vendor/nginx/conf/mime.types +11 -2
  38. data/vendor/nginx/conf/nginx.conf +3 -4
  39. data/vendor/nginx/contrib/README +6 -0
  40. data/vendor/nginx/contrib/vim/ftdetect/nginx.vim +4 -0
  41. data/vendor/nginx/contrib/vim/indent/nginx.vim +11 -0
  42. data/vendor/nginx/contrib/vim/syntax/nginx.vim +703 -0
  43. data/vendor/nginx/src/core/nginx.c +2 -7
  44. data/vendor/nginx/src/core/nginx.h +2 -2
  45. data/vendor/nginx/src/core/ngx_conf_file.c +8 -88
  46. data/vendor/nginx/src/core/ngx_conf_file.h +3 -3
  47. data/vendor/nginx/src/core/ngx_config.h +2 -2
  48. data/vendor/nginx/src/core/ngx_connection.c +100 -29
  49. data/vendor/nginx/src/core/ngx_connection.h +11 -0
  50. data/vendor/nginx/src/core/ngx_core.h +1 -0
  51. data/vendor/nginx/src/core/ngx_cycle.c +23 -99
  52. data/vendor/nginx/src/core/ngx_cycle.h +2 -0
  53. data/vendor/nginx/src/core/ngx_file.c +100 -8
  54. data/vendor/nginx/src/core/ngx_file.h +3 -0
  55. data/vendor/nginx/src/core/ngx_hash.c +6 -9
  56. data/vendor/nginx/src/core/ngx_inet.c +93 -5
  57. data/vendor/nginx/src/core/ngx_inet.h +4 -2
  58. data/vendor/nginx/src/core/ngx_list.c +1 -9
  59. data/vendor/nginx/src/core/ngx_log.c +132 -30
  60. data/vendor/nginx/src/core/ngx_log.h +5 -2
  61. data/vendor/nginx/src/core/ngx_open_file_cache.c +67 -1
  62. data/vendor/nginx/src/core/ngx_palloc.c +5 -2
  63. data/vendor/nginx/src/core/ngx_proxy_protocol.c +91 -0
  64. data/vendor/nginx/src/core/ngx_proxy_protocol.h +23 -0
  65. data/vendor/nginx/src/core/ngx_resolver.c +1080 -285
  66. data/vendor/nginx/src/core/ngx_resolver.h +33 -3
  67. data/vendor/nginx/src/core/ngx_slab.c +7 -2
  68. data/vendor/nginx/src/core/ngx_slab.h +2 -0
  69. data/vendor/nginx/src/core/ngx_string.c +78 -13
  70. data/vendor/nginx/src/core/ngx_string.h +2 -0
  71. data/vendor/nginx/src/event/modules/ngx_devpoll_module.c +2 -2
  72. data/vendor/nginx/src/event/modules/ngx_epoll_module.c +13 -5
  73. data/vendor/nginx/src/event/modules/ngx_select_module.c +1 -1
  74. data/vendor/nginx/src/event/modules/ngx_win32_select_module.c +2 -2
  75. data/vendor/nginx/src/event/ngx_event.c +0 -1
  76. data/vendor/nginx/src/event/ngx_event.h +7 -6
  77. data/vendor/nginx/src/event/ngx_event_accept.c +6 -4
  78. data/vendor/nginx/src/event/ngx_event_connect.c +2 -2
  79. data/vendor/nginx/src/event/ngx_event_openssl.c +304 -13
  80. data/vendor/nginx/src/event/ngx_event_openssl.h +20 -1
  81. data/vendor/nginx/src/event/ngx_event_openssl_stapling.c +35 -23
  82. data/vendor/nginx/src/event/ngx_event_pipe.c +15 -30
  83. data/vendor/nginx/src/http/modules/ngx_http_access_module.c +115 -35
  84. data/vendor/nginx/src/http/modules/ngx_http_auth_basic_module.c +1 -1
  85. data/vendor/nginx/src/http/modules/ngx_http_auth_request_module.c +444 -0
  86. data/vendor/nginx/src/http/modules/ngx_http_autoindex_module.c +2 -1
  87. data/vendor/nginx/src/http/modules/ngx_http_charset_filter_module.c +1 -1
  88. data/vendor/nginx/src/http/modules/ngx_http_dav_module.c +1 -3
  89. data/vendor/nginx/src/http/modules/ngx_http_fastcgi_module.c +251 -36
  90. data/vendor/nginx/src/http/modules/ngx_http_gunzip_filter_module.c +9 -5
  91. data/vendor/nginx/src/http/modules/ngx_http_gzip_filter_module.c +5 -3
  92. data/vendor/nginx/src/http/modules/ngx_http_gzip_static_module.c +1 -1
  93. data/vendor/nginx/src/http/modules/ngx_http_headers_filter_module.c +4 -0
  94. data/vendor/nginx/src/http/modules/ngx_http_image_filter_module.c +8 -2
  95. data/vendor/nginx/src/http/modules/ngx_http_limit_req_module.c +5 -1
  96. data/vendor/nginx/src/http/modules/ngx_http_map_module.c +3 -3
  97. data/vendor/nginx/src/http/modules/ngx_http_memcached_module.c +21 -10
  98. data/vendor/nginx/src/http/modules/ngx_http_mp4_module.c +669 -197
  99. data/vendor/nginx/src/http/modules/ngx_http_proxy_module.c +93 -60
  100. data/vendor/nginx/src/http/modules/ngx_http_range_filter_module.c +13 -6
  101. data/vendor/nginx/src/http/modules/ngx_http_realip_module.c +20 -1
  102. data/vendor/nginx/src/http/modules/ngx_http_referer_module.c +132 -74
  103. data/vendor/nginx/src/http/modules/ngx_http_scgi_module.c +18 -12
  104. data/vendor/nginx/src/http/modules/ngx_http_ssi_filter_module.c +22 -20
  105. data/vendor/nginx/src/http/modules/ngx_http_ssl_module.c +121 -3
  106. data/vendor/nginx/src/http/modules/ngx_http_ssl_module.h +5 -0
  107. data/vendor/nginx/src/http/modules/ngx_http_stub_status_module.c +3 -0
  108. data/vendor/nginx/src/http/modules/ngx_http_sub_filter_module.c +123 -91
  109. data/vendor/nginx/src/http/modules/ngx_http_upstream_ip_hash_module.c +29 -19
  110. data/vendor/nginx/src/http/modules/ngx_http_upstream_keepalive_module.c +2 -5
  111. data/vendor/nginx/src/http/modules/ngx_http_uwsgi_module.c +215 -19
  112. data/vendor/nginx/src/http/modules/ngx_http_xslt_filter_module.c +32 -6
  113. data/vendor/nginx/src/http/modules/perl/nginx.xs +4 -7
  114. data/vendor/nginx/src/http/modules/perl/ngx_http_perl_module.c +2 -2
  115. data/vendor/nginx/src/http/ngx_http.c +17 -7
  116. data/vendor/nginx/src/http/ngx_http_cache.h +4 -2
  117. data/vendor/nginx/src/http/ngx_http_copy_filter_module.c +4 -2
  118. data/vendor/nginx/src/http/ngx_http_core_module.c +63 -50
  119. data/vendor/nginx/src/http/ngx_http_core_module.h +5 -0
  120. data/vendor/nginx/src/http/ngx_http_file_cache.c +115 -3
  121. data/vendor/nginx/src/http/ngx_http_header_filter_module.c +9 -6
  122. data/vendor/nginx/src/http/ngx_http_parse.c +88 -10
  123. data/vendor/nginx/src/http/ngx_http_postpone_filter_module.c +2 -4
  124. data/vendor/nginx/src/http/ngx_http_request.c +116 -8
  125. data/vendor/nginx/src/http/ngx_http_request.h +5 -1
  126. data/vendor/nginx/src/http/ngx_http_request_body.c +7 -7
  127. data/vendor/nginx/src/http/ngx_http_script.c +6 -5
  128. data/vendor/nginx/src/http/ngx_http_spdy.c +889 -271
  129. data/vendor/nginx/src/http/ngx_http_spdy.h +51 -28
  130. data/vendor/nginx/src/http/ngx_http_spdy_filter_module.c +382 -167
  131. data/vendor/nginx/src/http/ngx_http_spdy_module.c +65 -8
  132. data/vendor/nginx/src/http/ngx_http_spdy_module.h +5 -0
  133. data/vendor/nginx/src/http/ngx_http_special_response.c +1 -1
  134. data/vendor/nginx/src/http/ngx_http_upstream.c +290 -114
  135. data/vendor/nginx/src/http/ngx_http_upstream.h +9 -5
  136. data/vendor/nginx/src/http/ngx_http_upstream_round_robin.c +32 -24
  137. data/vendor/nginx/src/http/ngx_http_variables.c +40 -6
  138. data/vendor/nginx/src/http/ngx_http_write_filter_module.c +12 -5
  139. data/vendor/nginx/src/mail/ngx_mail.c +4 -2
  140. data/vendor/nginx/src/mail/ngx_mail.h +2 -0
  141. data/vendor/nginx/src/mail/ngx_mail_auth_http_module.c +0 -1
  142. data/vendor/nginx/src/mail/ngx_mail_core_module.c +2 -1
  143. data/vendor/nginx/src/mail/ngx_mail_handler.c +17 -4
  144. data/vendor/nginx/src/mail/ngx_mail_parse.c +32 -2
  145. data/vendor/nginx/src/mail/ngx_mail_proxy_module.c +54 -7
  146. data/vendor/nginx/src/mail/ngx_mail_smtp_handler.c +50 -78
  147. data/vendor/nginx/src/mail/ngx_mail_ssl_module.c +48 -11
  148. data/vendor/nginx/src/mail/ngx_mail_ssl_module.h +3 -0
  149. data/vendor/nginx/src/os/unix/ngx_channel.c +3 -1
  150. data/vendor/nginx/src/os/unix/ngx_darwin_config.h +1 -0
  151. data/vendor/nginx/src/os/unix/ngx_darwin_init.c +1 -1
  152. data/vendor/nginx/src/os/unix/ngx_darwin_sendfile_chain.c +14 -16
  153. data/vendor/nginx/src/os/unix/ngx_errno.h +3 -0
  154. data/vendor/nginx/src/os/unix/ngx_files.h +10 -16
  155. data/vendor/nginx/src/os/unix/ngx_freebsd_config.h +6 -0
  156. data/vendor/nginx/src/os/unix/ngx_freebsd_init.c +1 -1
  157. data/vendor/nginx/src/os/unix/ngx_freebsd_rfork_thread.c +1 -1
  158. data/vendor/nginx/src/os/unix/ngx_freebsd_rfork_thread.h +2 -2
  159. data/vendor/nginx/src/os/unix/ngx_freebsd_sendfile_chain.c +17 -19
  160. data/vendor/nginx/src/os/unix/ngx_linux_config.h +8 -2
  161. data/vendor/nginx/src/os/unix/ngx_linux_sendfile_chain.c +20 -22
  162. data/vendor/nginx/src/os/unix/ngx_posix_config.h +1 -0
  163. data/vendor/nginx/src/os/unix/ngx_process.c +5 -0
  164. data/vendor/nginx/src/os/unix/ngx_process_cycle.c +15 -3
  165. data/vendor/nginx/src/os/unix/ngx_readv_chain.c +2 -1
  166. data/vendor/nginx/src/os/unix/ngx_recv.c +4 -1
  167. data/vendor/nginx/src/os/unix/ngx_solaris_config.h +1 -0
  168. data/vendor/nginx/src/os/unix/ngx_solaris_sendfilev_chain.c +14 -16
  169. metadata +8 -2
data/vendor/nginx/src/event/ngx_event_connect.c CHANGED
@@ -31,7 +31,7 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
31
31
 
32
32
  ngx_log_debug1(NGX_LOG_DEBUG_EVENT, pc->log, 0, "socket %d", s);
33
33
 
34
- if (s == -1) {
34
+ if (s == (ngx_socket_t) -1) {
35
35
  ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno,
36
36
  ngx_socket_n " failed");
37
37
  return NGX_ERROR;
@@ -122,7 +122,7 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
122
122
  }
123
123
 
124
124
  ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pc->log, 0,
125
- "connect to %V, fd:%d #%d", pc->name, s, c->number);
125
+ "connect to %V, fd:%d #%uA", pc->name, s, c->number);
126
126
 
127
127
  rc = connect(s, pc->sockaddr, pc->socklen);
128
128
 
data/vendor/nginx/src/event/ngx_event_openssl.c CHANGED
@@ -15,7 +15,7 @@ typedef struct {
15
15
  } ngx_openssl_conf_t;
16
16
 
17
17
 
18
- static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
18
+ static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
19
19
  static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
20
20
  int ret);
21
21
  static void ngx_ssl_handshake_handler(ngx_event_t *ev);
@@ -38,6 +38,12 @@ static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,
38
38
  static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
39
39
  ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel);
40
40
 
41
+ #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
42
+ static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
43
+ unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx,
44
+ HMAC_CTX *hctx, int enc);
45
+ #endif
46
+
41
47
  static void *ngx_openssl_create_conf(ngx_cycle_t *cycle);
42
48
  static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
43
49
  static void ngx_openssl_exit(ngx_cycle_t *cycle);
@@ -82,6 +88,7 @@ ngx_module_t ngx_openssl_module = {
82
88
  int ngx_ssl_connection_index;
83
89
  int ngx_ssl_server_conf_index;
84
90
  int ngx_ssl_session_cache_index;
91
+ int ngx_ssl_session_ticket_keys_index;
85
92
  int ngx_ssl_certificate_index;
86
93
  int ngx_ssl_stapling_index;
87
94
 
@@ -139,6 +146,14 @@ ngx_ssl_init(ngx_log_t *log)
139
146
  return NGX_ERROR;
140
147
  }
141
148
 
149
+ ngx_ssl_session_ticket_keys_index = SSL_CTX_get_ex_new_index(0, NULL, NULL,
150
+ NULL, NULL);
151
+ if (ngx_ssl_session_ticket_keys_index == -1) {
152
+ ngx_ssl_error(NGX_LOG_ALERT, log, 0,
153
+ "SSL_CTX_get_ex_new_index() failed");
154
+ return NGX_ERROR;
155
+ }
156
+
142
157
  ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
143
158
  NULL);
144
159
  if (ngx_ssl_certificate_index == -1) {
@@ -175,6 +190,8 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
175
190
  return NGX_ERROR;
176
191
  }
177
192
 
193
+ ssl->buffer_size = NGX_SSL_BUFSIZE;
194
+
178
195
  /* client side options */
179
196
 
180
197
  SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
@@ -185,8 +202,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
185
202
  SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
186
203
  SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
187
204
 
205
+ #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
188
206
  /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
189
207
  SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
208
+ #endif
190
209
 
191
210
  SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
192
211
  SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
@@ -278,6 +297,8 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
278
297
  {
279
298
  ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
280
299
  "SSL_CTX_set_ex_data() failed");
300
+ X509_free(x509);
301
+ BIO_free(bio);
281
302
  return NGX_ERROR;
282
303
  }
283
304
 
@@ -342,7 +363,7 @@ ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
342
363
  {
343
364
  STACK_OF(X509_NAME) *list;
344
365
 
345
- SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_http_ssl_verify_callback);
366
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
346
367
 
347
368
  SSL_CTX_set_verify_depth(ssl->ctx, depth);
348
369
 
@@ -363,6 +384,13 @@ ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
363
384
  return NGX_ERROR;
364
385
  }
365
386
 
387
+ /*
388
+ * SSL_CTX_load_verify_locations() may leave errors in the error queue
389
+ * while returning success
390
+ */
391
+
392
+ ERR_clear_error();
393
+
366
394
  list = SSL_load_client_CA_file((char *) cert->data);
367
395
 
368
396
  if (list == NULL) {
@@ -407,6 +435,13 @@ ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
407
435
  return NGX_ERROR;
408
436
  }
409
437
 
438
+ /*
439
+ * SSL_CTX_load_verify_locations() may leave errors in the error queue
440
+ * while returning success
441
+ */
442
+
443
+ ERR_clear_error();
444
+
410
445
  return NGX_OK;
411
446
  }
412
447
 
@@ -457,7 +492,7 @@ ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl)
457
492
 
458
493
 
459
494
  static int
460
- ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
495
+ ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
461
496
  {
462
497
  #if (NGX_DEBUG)
463
498
  char *subject, *issuer;
@@ -503,6 +538,7 @@ ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
503
538
  static void
504
539
  ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
505
540
  {
541
+ BIO *rbio, *wbio;
506
542
  ngx_connection_t *c;
507
543
 
508
544
  if (where & SSL_CB_HANDSHAKE_START) {
@@ -513,11 +549,37 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
513
549
  ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
514
550
  }
515
551
  }
552
+
553
+ if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
554
+ c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
555
+
556
+ if (!c->ssl->handshake_buffer_set) {
557
+ /*
558
+ * By default OpenSSL uses 4k buffer during a handshake,
559
+ * which is too low for long certificate chains and might
560
+ * result in extra round-trips.
561
+ *
562
+ * To adjust a buffer size we detect that buffering was added
563
+ * to write side of the connection by comparing rbio and wbio.
564
+ * If they are different, we assume that it's due to buffering
565
+ * added to wbio, and set buffer size.
566
+ */
567
+
568
+ rbio = SSL_get_rbio((ngx_ssl_conn_t *) ssl_conn);
569
+ wbio = SSL_get_wbio((ngx_ssl_conn_t *) ssl_conn);
570
+
571
+ if (rbio != wbio) {
572
+ (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE);
573
+ c->ssl->handshake_buffer_set = 1;
574
+ }
575
+ }
576
+ }
516
577
  }
517
578
 
518
579
 
519
580
  RSA *
520
- ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length)
581
+ ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
582
+ int key_length)
521
583
  {
522
584
  static RSA *key;
523
585
 
@@ -666,6 +728,7 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
666
728
  }
667
729
 
668
730
  sc->buffer = ((flags & NGX_SSL_BUFFER) != 0);
731
+ sc->buffer_size = ssl->buffer_size;
669
732
 
670
733
  sc->connection = SSL_new(ssl->ctx);
671
734
 
@@ -1162,7 +1225,7 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
1162
1225
  buf = c->ssl->buf;
1163
1226
 
1164
1227
  if (buf == NULL) {
1165
- buf = ngx_create_temp_buf(c->pool, NGX_SSL_BUFSIZE);
1228
+ buf = ngx_create_temp_buf(c->pool, c->ssl->buffer_size);
1166
1229
  if (buf == NULL) {
1167
1230
  return NGX_CHAIN_ERROR;
1168
1231
  }
@@ -1171,14 +1234,14 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
1171
1234
  }
1172
1235
 
1173
1236
  if (buf->start == NULL) {
1174
- buf->start = ngx_palloc(c->pool, NGX_SSL_BUFSIZE);
1237
+ buf->start = ngx_palloc(c->pool, c->ssl->buffer_size);
1175
1238
  if (buf->start == NULL) {
1176
1239
  return NGX_CHAIN_ERROR;
1177
1240
  }
1178
1241
 
1179
1242
  buf->pos = buf->start;
1180
1243
  buf->last = buf->start;
1181
- buf->end = buf->start + NGX_SSL_BUFSIZE;
1244
+ buf->end = buf->start + c->ssl->buffer_size;
1182
1245
  }
1183
1246
 
1184
1247
  send = buf->last - buf->pos;
@@ -1664,6 +1727,8 @@ ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
1664
1727
  {
1665
1728
  long cache_mode;
1666
1729
 
1730
+ SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
1731
+
1667
1732
  if (builtin_session_cache == NGX_SSL_NO_SCACHE) {
1668
1733
  SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF);
1669
1734
  return NGX_OK;
@@ -1709,8 +1774,6 @@ ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
1709
1774
  }
1710
1775
  }
1711
1776
 
1712
- SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
1713
-
1714
1777
  if (shm_zone) {
1715
1778
  SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session);
1716
1779
  SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session);
@@ -1741,13 +1804,13 @@ ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data)
1741
1804
  return NGX_OK;
1742
1805
  }
1743
1806
 
1807
+ shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
1808
+
1744
1809
  if (shm_zone->shm.exists) {
1745
- shm_zone->data = data;
1810
+ shm_zone->data = shpool->data;
1746
1811
  return NGX_OK;
1747
1812
  }
1748
1813
 
1749
- shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
1750
-
1751
1814
  cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t));
1752
1815
  if (cache == NULL) {
1753
1816
  return NGX_ERROR;
@@ -1771,6 +1834,8 @@ ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data)
1771
1834
  ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z",
1772
1835
  &shm_zone->shm.name);
1773
1836
 
1837
+ shpool->log_nomem = 0;
1838
+
1774
1839
  return NGX_OK;
1775
1840
  }
1776
1841
 
@@ -1923,7 +1988,7 @@ failed:
1923
1988
  ngx_shmtx_unlock(&shpool->mutex);
1924
1989
 
1925
1990
  ngx_log_error(NGX_LOG_ALERT, c->log, 0,
1926
- "could not add new SSL session to the session cache");
1991
+ "could not allocate new session%s", shpool->log_ctx);
1927
1992
 
1928
1993
  return 0;
1929
1994
  }
@@ -2200,6 +2265,218 @@ ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
2200
2265
  }
2201
2266
 
2202
2267
 
2268
+ #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
2269
+
2270
+ ngx_int_t
2271
+ ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths)
2272
+ {
2273
+ u_char buf[48];
2274
+ ssize_t n;
2275
+ ngx_str_t *path;
2276
+ ngx_file_t file;
2277
+ ngx_uint_t i;
2278
+ ngx_array_t *keys;
2279
+ ngx_file_info_t fi;
2280
+ ngx_ssl_session_ticket_key_t *key;
2281
+
2282
+ if (paths == NULL) {
2283
+ return NGX_OK;
2284
+ }
2285
+
2286
+ keys = ngx_array_create(cf->pool, paths->nelts,
2287
+ sizeof(ngx_ssl_session_ticket_key_t));
2288
+ if (keys == NULL) {
2289
+ return NGX_ERROR;
2290
+ }
2291
+
2292
+ path = paths->elts;
2293
+ for (i = 0; i < paths->nelts; i++) {
2294
+
2295
+ if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) {
2296
+ return NGX_ERROR;
2297
+ }
2298
+
2299
+ ngx_memzero(&file, sizeof(ngx_file_t));
2300
+ file.name = path[i];
2301
+ file.log = cf->log;
2302
+
2303
+ file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, 0, 0);
2304
+ if (file.fd == NGX_INVALID_FILE) {
2305
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
2306
+ ngx_open_file_n " \"%V\" failed", &file.name);
2307
+ return NGX_ERROR;
2308
+ }
2309
+
2310
+ if (ngx_fd_info(file.fd, &fi) == NGX_FILE_ERROR) {
2311
+ ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno,
2312
+ ngx_fd_info_n " \"%V\" failed", &file.name);
2313
+ goto failed;
2314
+ }
2315
+
2316
+ if (ngx_file_size(&fi) != 48) {
2317
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
2318
+ "\"%V\" must be 48 bytes", &file.name);
2319
+ goto failed;
2320
+ }
2321
+
2322
+ n = ngx_read_file(&file, buf, 48, 0);
2323
+
2324
+ if (n == NGX_ERROR) {
2325
+ ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno,
2326
+ ngx_read_file_n " \"%V\" failed", &file.name);
2327
+ goto failed;
2328
+ }
2329
+
2330
+ if (n != 48) {
2331
+ ngx_conf_log_error(NGX_LOG_CRIT, cf, 0,
2332
+ ngx_read_file_n " \"%V\" returned only "
2333
+ "%z bytes instead of 48", &file.name, n);
2334
+ goto failed;
2335
+ }
2336
+
2337
+ key = ngx_array_push(keys);
2338
+ if (key == NULL) {
2339
+ goto failed;
2340
+ }
2341
+
2342
+ ngx_memcpy(key->name, buf, 16);
2343
+ ngx_memcpy(key->aes_key, buf + 16, 16);
2344
+ ngx_memcpy(key->hmac_key, buf + 32, 16);
2345
+
2346
+ if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
2347
+ ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
2348
+ ngx_close_file_n " \"%V\" failed", &file.name);
2349
+ }
2350
+ }
2351
+
2352
+ if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys)
2353
+ == 0)
2354
+ {
2355
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
2356
+ "SSL_CTX_set_ex_data() failed");
2357
+ return NGX_ERROR;
2358
+ }
2359
+
2360
+ if (SSL_CTX_set_tlsext_ticket_key_cb(ssl->ctx,
2361
+ ngx_ssl_session_ticket_key_callback)
2362
+ == 0)
2363
+ {
2364
+ ngx_log_error(NGX_LOG_WARN, cf->log, 0,
2365
+ "nginx was built with Session Tickets support, however, "
2366
+ "now it is linked dynamically to an OpenSSL library "
2367
+ "which has no tlsext support, therefore Session Tickets "
2368
+ "are not available");
2369
+ }
2370
+
2371
+ return NGX_OK;
2372
+
2373
+ failed:
2374
+
2375
+ if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
2376
+ ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
2377
+ ngx_close_file_n " \"%V\" failed", &file.name);
2378
+ }
2379
+
2380
+ return NGX_ERROR;
2381
+ }
2382
+
2383
+
2384
+ #ifdef OPENSSL_NO_SHA256
2385
+ #define ngx_ssl_session_ticket_md EVP_sha1
2386
+ #else
2387
+ #define ngx_ssl_session_ticket_md EVP_sha256
2388
+ #endif
2389
+
2390
+
2391
+ static int
2392
+ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
2393
+ unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx,
2394
+ HMAC_CTX *hctx, int enc)
2395
+ {
2396
+ SSL_CTX *ssl_ctx;
2397
+ ngx_uint_t i;
2398
+ ngx_array_t *keys;
2399
+ ngx_ssl_session_ticket_key_t *key;
2400
+ #if (NGX_DEBUG)
2401
+ u_char buf[32];
2402
+ ngx_connection_t *c;
2403
+ #endif
2404
+
2405
+ ssl_ctx = SSL_get_SSL_CTX(ssl_conn);
2406
+
2407
+ keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index);
2408
+ if (keys == NULL) {
2409
+ return -1;
2410
+ }
2411
+
2412
+ key = keys->elts;
2413
+
2414
+ #if (NGX_DEBUG)
2415
+ c = ngx_ssl_get_connection(ssl_conn);
2416
+ #endif
2417
+
2418
+ if (enc == 1) {
2419
+ /* encrypt session ticket */
2420
+
2421
+ ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
2422
+ "ssl session ticket encrypt, key: \"%*s\" (%s session)",
2423
+ ngx_hex_dump(buf, key[0].name, 16) - buf, buf,
2424
+ SSL_session_reused(ssl_conn) ? "reused" : "new");
2425
+
2426
+ RAND_pseudo_bytes(iv, 16);
2427
+ EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key[0].aes_key, iv);
2428
+ HMAC_Init_ex(hctx, key[0].hmac_key, 16,
2429
+ ngx_ssl_session_ticket_md(), NULL);
2430
+ memcpy(name, key[0].name, 16);
2431
+
2432
+ return 0;
2433
+
2434
+ } else {
2435
+ /* decrypt session ticket */
2436
+
2437
+ for (i = 0; i < keys->nelts; i++) {
2438
+ if (ngx_memcmp(name, key[i].name, 16) == 0) {
2439
+ goto found;
2440
+ }
2441
+ }
2442
+
2443
+ ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
2444
+ "ssl session ticket decrypt, key: \"%*s\" not found",
2445
+ ngx_hex_dump(buf, name, 16) - buf, buf);
2446
+
2447
+ return 0;
2448
+
2449
+ found:
2450
+
2451
+ ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
2452
+ "ssl session ticket decrypt, key: \"%*s\"%s",
2453
+ ngx_hex_dump(buf, key[i].name, 16) - buf, buf,
2454
+ (i == 0) ? " (default)" : "");
2455
+
2456
+ HMAC_Init_ex(hctx, key[i].hmac_key, 16,
2457
+ ngx_ssl_session_ticket_md(), NULL);
2458
+ EVP_DecryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key[i].aes_key, iv);
2459
+
2460
+ return (i == 0) ? 1 : 2 /* renew */;
2461
+ }
2462
+ }
2463
+
2464
+ #else
2465
+
2466
+ ngx_int_t
2467
+ ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths)
2468
+ {
2469
+ if (paths) {
2470
+ ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
2471
+ "\"ssl_session_ticket_keys\" ignored, not supported");
2472
+ }
2473
+
2474
+ return NGX_OK;
2475
+ }
2476
+
2477
+ #endif
2478
+
2479
+
2203
2480
  void
2204
2481
  ngx_ssl_cleanup_ctx(void *data)
2205
2482
  {
@@ -2253,6 +2530,20 @@ ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
2253
2530
  }
2254
2531
 
2255
2532
 
2533
+ ngx_int_t
2534
+ ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
2535
+ {
2536
+ if (SSL_session_reused(c->ssl->connection)) {
2537
+ ngx_str_set(s, "r");
2538
+
2539
+ } else {
2540
+ ngx_str_set(s, ".");
2541
+ }
2542
+
2543
+ return NGX_OK;
2544
+ }
2545
+
2546
+
2256
2547
  ngx_int_t
2257
2548
  ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
2258
2549
  {