nginxtra 1.4.7.9 → 1.6.0.9
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/nginxtra +1 -1
- data/bin/nginxtra_rails +1 -1
- data/lib/nginxtra/version.rb +1 -1
- data/vendor/nginx/CHANGES +286 -19
- data/vendor/nginx/CHANGES.ru +296 -22
- data/vendor/nginx/auto/cc/clang +4 -3
- data/vendor/nginx/auto/cc/conf +23 -0
- data/vendor/nginx/auto/cc/msvc +1 -0
- data/vendor/nginx/auto/cc/name +1 -1
- data/vendor/nginx/auto/cc/owc +4 -4
- data/vendor/nginx/auto/cc/sunc +1 -1
- data/vendor/nginx/auto/endianness +2 -2
- data/vendor/nginx/auto/feature +1 -1
- data/vendor/nginx/auto/include +1 -1
- data/vendor/nginx/auto/lib/libatomic/make +3 -1
- data/vendor/nginx/auto/lib/openssl/conf +4 -0
- data/vendor/nginx/auto/lib/openssl/make +1 -1
- data/vendor/nginx/auto/lib/pcre/conf +5 -0
- data/vendor/nginx/auto/lib/pcre/make +11 -11
- data/vendor/nginx/auto/lib/pcre/makefile.bcc +4 -3
- data/vendor/nginx/auto/lib/pcre/makefile.msvc +2 -1
- data/vendor/nginx/auto/lib/pcre/makefile.owc +2 -1
- data/vendor/nginx/auto/lib/perl/make +1 -0
- data/vendor/nginx/auto/lib/test +1 -1
- data/vendor/nginx/auto/lib/zlib/make +22 -1
- data/vendor/nginx/auto/modules +8 -0
- data/vendor/nginx/auto/options +3 -0
- data/vendor/nginx/auto/os/darwin +1 -1
- data/vendor/nginx/auto/os/linux +32 -0
- data/vendor/nginx/auto/os/win32 +12 -1
- data/vendor/nginx/auto/sources +8 -2
- data/vendor/nginx/auto/types/sizeof +1 -1
- data/vendor/nginx/auto/types/typedef +1 -1
- data/vendor/nginx/auto/types/uintptr_t +1 -1
- data/vendor/nginx/auto/unix +13 -1
- data/vendor/nginx/conf/mime.types +11 -2
- data/vendor/nginx/conf/nginx.conf +3 -4
- data/vendor/nginx/contrib/README +6 -0
- data/vendor/nginx/contrib/vim/ftdetect/nginx.vim +4 -0
- data/vendor/nginx/contrib/vim/indent/nginx.vim +11 -0
- data/vendor/nginx/contrib/vim/syntax/nginx.vim +703 -0
- data/vendor/nginx/src/core/nginx.c +2 -7
- data/vendor/nginx/src/core/nginx.h +2 -2
- data/vendor/nginx/src/core/ngx_conf_file.c +8 -88
- data/vendor/nginx/src/core/ngx_conf_file.h +3 -3
- data/vendor/nginx/src/core/ngx_config.h +2 -2
- data/vendor/nginx/src/core/ngx_connection.c +100 -29
- data/vendor/nginx/src/core/ngx_connection.h +11 -0
- data/vendor/nginx/src/core/ngx_core.h +1 -0
- data/vendor/nginx/src/core/ngx_cycle.c +23 -99
- data/vendor/nginx/src/core/ngx_cycle.h +2 -0
- data/vendor/nginx/src/core/ngx_file.c +100 -8
- data/vendor/nginx/src/core/ngx_file.h +3 -0
- data/vendor/nginx/src/core/ngx_hash.c +6 -9
- data/vendor/nginx/src/core/ngx_inet.c +93 -5
- data/vendor/nginx/src/core/ngx_inet.h +4 -2
- data/vendor/nginx/src/core/ngx_list.c +1 -9
- data/vendor/nginx/src/core/ngx_log.c +132 -30
- data/vendor/nginx/src/core/ngx_log.h +5 -2
- data/vendor/nginx/src/core/ngx_open_file_cache.c +67 -1
- data/vendor/nginx/src/core/ngx_palloc.c +5 -2
- data/vendor/nginx/src/core/ngx_proxy_protocol.c +91 -0
- data/vendor/nginx/src/core/ngx_proxy_protocol.h +23 -0
- data/vendor/nginx/src/core/ngx_resolver.c +1080 -285
- data/vendor/nginx/src/core/ngx_resolver.h +33 -3
- data/vendor/nginx/src/core/ngx_slab.c +7 -2
- data/vendor/nginx/src/core/ngx_slab.h +2 -0
- data/vendor/nginx/src/core/ngx_string.c +78 -13
- data/vendor/nginx/src/core/ngx_string.h +2 -0
- data/vendor/nginx/src/event/modules/ngx_devpoll_module.c +2 -2
- data/vendor/nginx/src/event/modules/ngx_epoll_module.c +13 -5
- data/vendor/nginx/src/event/modules/ngx_select_module.c +1 -1
- data/vendor/nginx/src/event/modules/ngx_win32_select_module.c +2 -2
- data/vendor/nginx/src/event/ngx_event.c +0 -1
- data/vendor/nginx/src/event/ngx_event.h +7 -6
- data/vendor/nginx/src/event/ngx_event_accept.c +6 -4
- data/vendor/nginx/src/event/ngx_event_connect.c +2 -2
- data/vendor/nginx/src/event/ngx_event_openssl.c +304 -13
- data/vendor/nginx/src/event/ngx_event_openssl.h +20 -1
- data/vendor/nginx/src/event/ngx_event_openssl_stapling.c +35 -23
- data/vendor/nginx/src/event/ngx_event_pipe.c +15 -30
- data/vendor/nginx/src/http/modules/ngx_http_access_module.c +115 -35
- data/vendor/nginx/src/http/modules/ngx_http_auth_basic_module.c +1 -1
- data/vendor/nginx/src/http/modules/ngx_http_auth_request_module.c +444 -0
- data/vendor/nginx/src/http/modules/ngx_http_autoindex_module.c +2 -1
- data/vendor/nginx/src/http/modules/ngx_http_charset_filter_module.c +1 -1
- data/vendor/nginx/src/http/modules/ngx_http_dav_module.c +1 -3
- data/vendor/nginx/src/http/modules/ngx_http_fastcgi_module.c +251 -36
- data/vendor/nginx/src/http/modules/ngx_http_gunzip_filter_module.c +9 -5
- data/vendor/nginx/src/http/modules/ngx_http_gzip_filter_module.c +5 -3
- data/vendor/nginx/src/http/modules/ngx_http_gzip_static_module.c +1 -1
- data/vendor/nginx/src/http/modules/ngx_http_headers_filter_module.c +4 -0
- data/vendor/nginx/src/http/modules/ngx_http_image_filter_module.c +8 -2
- data/vendor/nginx/src/http/modules/ngx_http_limit_req_module.c +5 -1
- data/vendor/nginx/src/http/modules/ngx_http_map_module.c +3 -3
- data/vendor/nginx/src/http/modules/ngx_http_memcached_module.c +21 -10
- data/vendor/nginx/src/http/modules/ngx_http_mp4_module.c +669 -197
- data/vendor/nginx/src/http/modules/ngx_http_proxy_module.c +93 -60
- data/vendor/nginx/src/http/modules/ngx_http_range_filter_module.c +13 -6
- data/vendor/nginx/src/http/modules/ngx_http_realip_module.c +20 -1
- data/vendor/nginx/src/http/modules/ngx_http_referer_module.c +132 -74
- data/vendor/nginx/src/http/modules/ngx_http_scgi_module.c +18 -12
- data/vendor/nginx/src/http/modules/ngx_http_ssi_filter_module.c +22 -20
- data/vendor/nginx/src/http/modules/ngx_http_ssl_module.c +121 -3
- data/vendor/nginx/src/http/modules/ngx_http_ssl_module.h +5 -0
- data/vendor/nginx/src/http/modules/ngx_http_stub_status_module.c +3 -0
- data/vendor/nginx/src/http/modules/ngx_http_sub_filter_module.c +123 -91
- data/vendor/nginx/src/http/modules/ngx_http_upstream_ip_hash_module.c +29 -19
- data/vendor/nginx/src/http/modules/ngx_http_upstream_keepalive_module.c +2 -5
- data/vendor/nginx/src/http/modules/ngx_http_uwsgi_module.c +215 -19
- data/vendor/nginx/src/http/modules/ngx_http_xslt_filter_module.c +32 -6
- data/vendor/nginx/src/http/modules/perl/nginx.xs +4 -7
- data/vendor/nginx/src/http/modules/perl/ngx_http_perl_module.c +2 -2
- data/vendor/nginx/src/http/ngx_http.c +17 -7
- data/vendor/nginx/src/http/ngx_http_cache.h +4 -2
- data/vendor/nginx/src/http/ngx_http_copy_filter_module.c +4 -2
- data/vendor/nginx/src/http/ngx_http_core_module.c +63 -50
- data/vendor/nginx/src/http/ngx_http_core_module.h +5 -0
- data/vendor/nginx/src/http/ngx_http_file_cache.c +115 -3
- data/vendor/nginx/src/http/ngx_http_header_filter_module.c +9 -6
- data/vendor/nginx/src/http/ngx_http_parse.c +88 -10
- data/vendor/nginx/src/http/ngx_http_postpone_filter_module.c +2 -4
- data/vendor/nginx/src/http/ngx_http_request.c +116 -8
- data/vendor/nginx/src/http/ngx_http_request.h +5 -1
- data/vendor/nginx/src/http/ngx_http_request_body.c +7 -7
- data/vendor/nginx/src/http/ngx_http_script.c +6 -5
- data/vendor/nginx/src/http/ngx_http_spdy.c +889 -271
- data/vendor/nginx/src/http/ngx_http_spdy.h +51 -28
- data/vendor/nginx/src/http/ngx_http_spdy_filter_module.c +382 -167
- data/vendor/nginx/src/http/ngx_http_spdy_module.c +65 -8
- data/vendor/nginx/src/http/ngx_http_spdy_module.h +5 -0
- data/vendor/nginx/src/http/ngx_http_special_response.c +1 -1
- data/vendor/nginx/src/http/ngx_http_upstream.c +290 -114
- data/vendor/nginx/src/http/ngx_http_upstream.h +9 -5
- data/vendor/nginx/src/http/ngx_http_upstream_round_robin.c +32 -24
- data/vendor/nginx/src/http/ngx_http_variables.c +40 -6
- data/vendor/nginx/src/http/ngx_http_write_filter_module.c +12 -5
- data/vendor/nginx/src/mail/ngx_mail.c +4 -2
- data/vendor/nginx/src/mail/ngx_mail.h +2 -0
- data/vendor/nginx/src/mail/ngx_mail_auth_http_module.c +0 -1
- data/vendor/nginx/src/mail/ngx_mail_core_module.c +2 -1
- data/vendor/nginx/src/mail/ngx_mail_handler.c +17 -4
- data/vendor/nginx/src/mail/ngx_mail_parse.c +32 -2
- data/vendor/nginx/src/mail/ngx_mail_proxy_module.c +54 -7
- data/vendor/nginx/src/mail/ngx_mail_smtp_handler.c +50 -78
- data/vendor/nginx/src/mail/ngx_mail_ssl_module.c +48 -11
- data/vendor/nginx/src/mail/ngx_mail_ssl_module.h +3 -0
- data/vendor/nginx/src/os/unix/ngx_channel.c +3 -1
- data/vendor/nginx/src/os/unix/ngx_darwin_config.h +1 -0
- data/vendor/nginx/src/os/unix/ngx_darwin_init.c +1 -1
- data/vendor/nginx/src/os/unix/ngx_darwin_sendfile_chain.c +14 -16
- data/vendor/nginx/src/os/unix/ngx_errno.h +3 -0
- data/vendor/nginx/src/os/unix/ngx_files.h +10 -16
- data/vendor/nginx/src/os/unix/ngx_freebsd_config.h +6 -0
- data/vendor/nginx/src/os/unix/ngx_freebsd_init.c +1 -1
- data/vendor/nginx/src/os/unix/ngx_freebsd_rfork_thread.c +1 -1
- data/vendor/nginx/src/os/unix/ngx_freebsd_rfork_thread.h +2 -2
- data/vendor/nginx/src/os/unix/ngx_freebsd_sendfile_chain.c +17 -19
- data/vendor/nginx/src/os/unix/ngx_linux_config.h +8 -2
- data/vendor/nginx/src/os/unix/ngx_linux_sendfile_chain.c +20 -22
- data/vendor/nginx/src/os/unix/ngx_posix_config.h +1 -0
- data/vendor/nginx/src/os/unix/ngx_process.c +5 -0
- data/vendor/nginx/src/os/unix/ngx_process_cycle.c +15 -3
- data/vendor/nginx/src/os/unix/ngx_readv_chain.c +2 -1
- data/vendor/nginx/src/os/unix/ngx_recv.c +4 -1
- data/vendor/nginx/src/os/unix/ngx_solaris_config.h +1 -0
- data/vendor/nginx/src/os/unix/ngx_solaris_sendfilev_chain.c +14 -16
- metadata +8 -2
@@ -31,7 +31,7 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
|
|
31
31
|
|
32
32
|
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, pc->log, 0, "socket %d", s);
|
33
33
|
|
34
|
-
if (s == -1) {
|
34
|
+
if (s == (ngx_socket_t) -1) {
|
35
35
|
ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno,
|
36
36
|
ngx_socket_n " failed");
|
37
37
|
return NGX_ERROR;
|
@@ -122,7 +122,7 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
|
|
122
122
|
}
|
123
123
|
|
124
124
|
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pc->log, 0,
|
125
|
-
"connect to %V, fd:%d #%
|
125
|
+
"connect to %V, fd:%d #%uA", pc->name, s, c->number);
|
126
126
|
|
127
127
|
rc = connect(s, pc->sockaddr, pc->socklen);
|
128
128
|
|
@@ -15,7 +15,7 @@ typedef struct {
|
|
15
15
|
} ngx_openssl_conf_t;
|
16
16
|
|
17
17
|
|
18
|
-
static int
|
18
|
+
static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
|
19
19
|
static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
|
20
20
|
int ret);
|
21
21
|
static void ngx_ssl_handshake_handler(ngx_event_t *ev);
|
@@ -38,6 +38,12 @@ static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,
|
|
38
38
|
static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
|
39
39
|
ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel);
|
40
40
|
|
41
|
+
#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
|
42
|
+
static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
|
43
|
+
unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx,
|
44
|
+
HMAC_CTX *hctx, int enc);
|
45
|
+
#endif
|
46
|
+
|
41
47
|
static void *ngx_openssl_create_conf(ngx_cycle_t *cycle);
|
42
48
|
static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
|
43
49
|
static void ngx_openssl_exit(ngx_cycle_t *cycle);
|
@@ -82,6 +88,7 @@ ngx_module_t ngx_openssl_module = {
|
|
82
88
|
int ngx_ssl_connection_index;
|
83
89
|
int ngx_ssl_server_conf_index;
|
84
90
|
int ngx_ssl_session_cache_index;
|
91
|
+
int ngx_ssl_session_ticket_keys_index;
|
85
92
|
int ngx_ssl_certificate_index;
|
86
93
|
int ngx_ssl_stapling_index;
|
87
94
|
|
@@ -139,6 +146,14 @@ ngx_ssl_init(ngx_log_t *log)
|
|
139
146
|
return NGX_ERROR;
|
140
147
|
}
|
141
148
|
|
149
|
+
ngx_ssl_session_ticket_keys_index = SSL_CTX_get_ex_new_index(0, NULL, NULL,
|
150
|
+
NULL, NULL);
|
151
|
+
if (ngx_ssl_session_ticket_keys_index == -1) {
|
152
|
+
ngx_ssl_error(NGX_LOG_ALERT, log, 0,
|
153
|
+
"SSL_CTX_get_ex_new_index() failed");
|
154
|
+
return NGX_ERROR;
|
155
|
+
}
|
156
|
+
|
142
157
|
ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
|
143
158
|
NULL);
|
144
159
|
if (ngx_ssl_certificate_index == -1) {
|
@@ -175,6 +190,8 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
|
175
190
|
return NGX_ERROR;
|
176
191
|
}
|
177
192
|
|
193
|
+
ssl->buffer_size = NGX_SSL_BUFSIZE;
|
194
|
+
|
178
195
|
/* client side options */
|
179
196
|
|
180
197
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
|
@@ -185,8 +202,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
|
185
202
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
|
186
203
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
|
187
204
|
|
205
|
+
#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
|
188
206
|
/* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
|
189
207
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
|
208
|
+
#endif
|
190
209
|
|
191
210
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
|
192
211
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
|
@@ -278,6 +297,8 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
|
278
297
|
{
|
279
298
|
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
280
299
|
"SSL_CTX_set_ex_data() failed");
|
300
|
+
X509_free(x509);
|
301
|
+
BIO_free(bio);
|
281
302
|
return NGX_ERROR;
|
282
303
|
}
|
283
304
|
|
@@ -342,7 +363,7 @@ ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
|
342
363
|
{
|
343
364
|
STACK_OF(X509_NAME) *list;
|
344
365
|
|
345
|
-
SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER,
|
366
|
+
SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
|
346
367
|
|
347
368
|
SSL_CTX_set_verify_depth(ssl->ctx, depth);
|
348
369
|
|
@@ -363,6 +384,13 @@ ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
|
363
384
|
return NGX_ERROR;
|
364
385
|
}
|
365
386
|
|
387
|
+
/*
|
388
|
+
* SSL_CTX_load_verify_locations() may leave errors in the error queue
|
389
|
+
* while returning success
|
390
|
+
*/
|
391
|
+
|
392
|
+
ERR_clear_error();
|
393
|
+
|
366
394
|
list = SSL_load_client_CA_file((char *) cert->data);
|
367
395
|
|
368
396
|
if (list == NULL) {
|
@@ -407,6 +435,13 @@ ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
|
407
435
|
return NGX_ERROR;
|
408
436
|
}
|
409
437
|
|
438
|
+
/*
|
439
|
+
* SSL_CTX_load_verify_locations() may leave errors in the error queue
|
440
|
+
* while returning success
|
441
|
+
*/
|
442
|
+
|
443
|
+
ERR_clear_error();
|
444
|
+
|
410
445
|
return NGX_OK;
|
411
446
|
}
|
412
447
|
|
@@ -457,7 +492,7 @@ ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl)
|
|
457
492
|
|
458
493
|
|
459
494
|
static int
|
460
|
-
|
495
|
+
ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
|
461
496
|
{
|
462
497
|
#if (NGX_DEBUG)
|
463
498
|
char *subject, *issuer;
|
@@ -503,6 +538,7 @@ ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
|
|
503
538
|
static void
|
504
539
|
ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
|
505
540
|
{
|
541
|
+
BIO *rbio, *wbio;
|
506
542
|
ngx_connection_t *c;
|
507
543
|
|
508
544
|
if (where & SSL_CB_HANDSHAKE_START) {
|
@@ -513,11 +549,37 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
|
|
513
549
|
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
|
514
550
|
}
|
515
551
|
}
|
552
|
+
|
553
|
+
if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
|
554
|
+
c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
|
555
|
+
|
556
|
+
if (!c->ssl->handshake_buffer_set) {
|
557
|
+
/*
|
558
|
+
* By default OpenSSL uses 4k buffer during a handshake,
|
559
|
+
* which is too low for long certificate chains and might
|
560
|
+
* result in extra round-trips.
|
561
|
+
*
|
562
|
+
* To adjust a buffer size we detect that buffering was added
|
563
|
+
* to write side of the connection by comparing rbio and wbio.
|
564
|
+
* If they are different, we assume that it's due to buffering
|
565
|
+
* added to wbio, and set buffer size.
|
566
|
+
*/
|
567
|
+
|
568
|
+
rbio = SSL_get_rbio((ngx_ssl_conn_t *) ssl_conn);
|
569
|
+
wbio = SSL_get_wbio((ngx_ssl_conn_t *) ssl_conn);
|
570
|
+
|
571
|
+
if (rbio != wbio) {
|
572
|
+
(void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE);
|
573
|
+
c->ssl->handshake_buffer_set = 1;
|
574
|
+
}
|
575
|
+
}
|
576
|
+
}
|
516
577
|
}
|
517
578
|
|
518
579
|
|
519
580
|
RSA *
|
520
|
-
ngx_ssl_rsa512_key_callback(
|
581
|
+
ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
|
582
|
+
int key_length)
|
521
583
|
{
|
522
584
|
static RSA *key;
|
523
585
|
|
@@ -666,6 +728,7 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
|
|
666
728
|
}
|
667
729
|
|
668
730
|
sc->buffer = ((flags & NGX_SSL_BUFFER) != 0);
|
731
|
+
sc->buffer_size = ssl->buffer_size;
|
669
732
|
|
670
733
|
sc->connection = SSL_new(ssl->ctx);
|
671
734
|
|
@@ -1162,7 +1225,7 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
|
|
1162
1225
|
buf = c->ssl->buf;
|
1163
1226
|
|
1164
1227
|
if (buf == NULL) {
|
1165
|
-
buf = ngx_create_temp_buf(c->pool,
|
1228
|
+
buf = ngx_create_temp_buf(c->pool, c->ssl->buffer_size);
|
1166
1229
|
if (buf == NULL) {
|
1167
1230
|
return NGX_CHAIN_ERROR;
|
1168
1231
|
}
|
@@ -1171,14 +1234,14 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
|
|
1171
1234
|
}
|
1172
1235
|
|
1173
1236
|
if (buf->start == NULL) {
|
1174
|
-
buf->start = ngx_palloc(c->pool,
|
1237
|
+
buf->start = ngx_palloc(c->pool, c->ssl->buffer_size);
|
1175
1238
|
if (buf->start == NULL) {
|
1176
1239
|
return NGX_CHAIN_ERROR;
|
1177
1240
|
}
|
1178
1241
|
|
1179
1242
|
buf->pos = buf->start;
|
1180
1243
|
buf->last = buf->start;
|
1181
|
-
buf->end = buf->start +
|
1244
|
+
buf->end = buf->start + c->ssl->buffer_size;
|
1182
1245
|
}
|
1183
1246
|
|
1184
1247
|
send = buf->last - buf->pos;
|
@@ -1664,6 +1727,8 @@ ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
|
|
1664
1727
|
{
|
1665
1728
|
long cache_mode;
|
1666
1729
|
|
1730
|
+
SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
|
1731
|
+
|
1667
1732
|
if (builtin_session_cache == NGX_SSL_NO_SCACHE) {
|
1668
1733
|
SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF);
|
1669
1734
|
return NGX_OK;
|
@@ -1709,8 +1774,6 @@ ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
|
|
1709
1774
|
}
|
1710
1775
|
}
|
1711
1776
|
|
1712
|
-
SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
|
1713
|
-
|
1714
1777
|
if (shm_zone) {
|
1715
1778
|
SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session);
|
1716
1779
|
SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session);
|
@@ -1741,13 +1804,13 @@ ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data)
|
|
1741
1804
|
return NGX_OK;
|
1742
1805
|
}
|
1743
1806
|
|
1807
|
+
shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
|
1808
|
+
|
1744
1809
|
if (shm_zone->shm.exists) {
|
1745
|
-
shm_zone->data = data;
|
1810
|
+
shm_zone->data = shpool->data;
|
1746
1811
|
return NGX_OK;
|
1747
1812
|
}
|
1748
1813
|
|
1749
|
-
shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
|
1750
|
-
|
1751
1814
|
cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t));
|
1752
1815
|
if (cache == NULL) {
|
1753
1816
|
return NGX_ERROR;
|
@@ -1771,6 +1834,8 @@ ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data)
|
|
1771
1834
|
ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z",
|
1772
1835
|
&shm_zone->shm.name);
|
1773
1836
|
|
1837
|
+
shpool->log_nomem = 0;
|
1838
|
+
|
1774
1839
|
return NGX_OK;
|
1775
1840
|
}
|
1776
1841
|
|
@@ -1923,7 +1988,7 @@ failed:
|
|
1923
1988
|
ngx_shmtx_unlock(&shpool->mutex);
|
1924
1989
|
|
1925
1990
|
ngx_log_error(NGX_LOG_ALERT, c->log, 0,
|
1926
|
-
"could not
|
1991
|
+
"could not allocate new session%s", shpool->log_ctx);
|
1927
1992
|
|
1928
1993
|
return 0;
|
1929
1994
|
}
|
@@ -2200,6 +2265,218 @@ ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
|
|
2200
2265
|
}
|
2201
2266
|
|
2202
2267
|
|
2268
|
+
#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
|
2269
|
+
|
2270
|
+
ngx_int_t
|
2271
|
+
ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths)
|
2272
|
+
{
|
2273
|
+
u_char buf[48];
|
2274
|
+
ssize_t n;
|
2275
|
+
ngx_str_t *path;
|
2276
|
+
ngx_file_t file;
|
2277
|
+
ngx_uint_t i;
|
2278
|
+
ngx_array_t *keys;
|
2279
|
+
ngx_file_info_t fi;
|
2280
|
+
ngx_ssl_session_ticket_key_t *key;
|
2281
|
+
|
2282
|
+
if (paths == NULL) {
|
2283
|
+
return NGX_OK;
|
2284
|
+
}
|
2285
|
+
|
2286
|
+
keys = ngx_array_create(cf->pool, paths->nelts,
|
2287
|
+
sizeof(ngx_ssl_session_ticket_key_t));
|
2288
|
+
if (keys == NULL) {
|
2289
|
+
return NGX_ERROR;
|
2290
|
+
}
|
2291
|
+
|
2292
|
+
path = paths->elts;
|
2293
|
+
for (i = 0; i < paths->nelts; i++) {
|
2294
|
+
|
2295
|
+
if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) {
|
2296
|
+
return NGX_ERROR;
|
2297
|
+
}
|
2298
|
+
|
2299
|
+
ngx_memzero(&file, sizeof(ngx_file_t));
|
2300
|
+
file.name = path[i];
|
2301
|
+
file.log = cf->log;
|
2302
|
+
|
2303
|
+
file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, 0, 0);
|
2304
|
+
if (file.fd == NGX_INVALID_FILE) {
|
2305
|
+
ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
|
2306
|
+
ngx_open_file_n " \"%V\" failed", &file.name);
|
2307
|
+
return NGX_ERROR;
|
2308
|
+
}
|
2309
|
+
|
2310
|
+
if (ngx_fd_info(file.fd, &fi) == NGX_FILE_ERROR) {
|
2311
|
+
ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno,
|
2312
|
+
ngx_fd_info_n " \"%V\" failed", &file.name);
|
2313
|
+
goto failed;
|
2314
|
+
}
|
2315
|
+
|
2316
|
+
if (ngx_file_size(&fi) != 48) {
|
2317
|
+
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
2318
|
+
"\"%V\" must be 48 bytes", &file.name);
|
2319
|
+
goto failed;
|
2320
|
+
}
|
2321
|
+
|
2322
|
+
n = ngx_read_file(&file, buf, 48, 0);
|
2323
|
+
|
2324
|
+
if (n == NGX_ERROR) {
|
2325
|
+
ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno,
|
2326
|
+
ngx_read_file_n " \"%V\" failed", &file.name);
|
2327
|
+
goto failed;
|
2328
|
+
}
|
2329
|
+
|
2330
|
+
if (n != 48) {
|
2331
|
+
ngx_conf_log_error(NGX_LOG_CRIT, cf, 0,
|
2332
|
+
ngx_read_file_n " \"%V\" returned only "
|
2333
|
+
"%z bytes instead of 48", &file.name, n);
|
2334
|
+
goto failed;
|
2335
|
+
}
|
2336
|
+
|
2337
|
+
key = ngx_array_push(keys);
|
2338
|
+
if (key == NULL) {
|
2339
|
+
goto failed;
|
2340
|
+
}
|
2341
|
+
|
2342
|
+
ngx_memcpy(key->name, buf, 16);
|
2343
|
+
ngx_memcpy(key->aes_key, buf + 16, 16);
|
2344
|
+
ngx_memcpy(key->hmac_key, buf + 32, 16);
|
2345
|
+
|
2346
|
+
if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
|
2347
|
+
ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
|
2348
|
+
ngx_close_file_n " \"%V\" failed", &file.name);
|
2349
|
+
}
|
2350
|
+
}
|
2351
|
+
|
2352
|
+
if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys)
|
2353
|
+
== 0)
|
2354
|
+
{
|
2355
|
+
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
2356
|
+
"SSL_CTX_set_ex_data() failed");
|
2357
|
+
return NGX_ERROR;
|
2358
|
+
}
|
2359
|
+
|
2360
|
+
if (SSL_CTX_set_tlsext_ticket_key_cb(ssl->ctx,
|
2361
|
+
ngx_ssl_session_ticket_key_callback)
|
2362
|
+
== 0)
|
2363
|
+
{
|
2364
|
+
ngx_log_error(NGX_LOG_WARN, cf->log, 0,
|
2365
|
+
"nginx was built with Session Tickets support, however, "
|
2366
|
+
"now it is linked dynamically to an OpenSSL library "
|
2367
|
+
"which has no tlsext support, therefore Session Tickets "
|
2368
|
+
"are not available");
|
2369
|
+
}
|
2370
|
+
|
2371
|
+
return NGX_OK;
|
2372
|
+
|
2373
|
+
failed:
|
2374
|
+
|
2375
|
+
if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
|
2376
|
+
ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
|
2377
|
+
ngx_close_file_n " \"%V\" failed", &file.name);
|
2378
|
+
}
|
2379
|
+
|
2380
|
+
return NGX_ERROR;
|
2381
|
+
}
|
2382
|
+
|
2383
|
+
|
2384
|
+
#ifdef OPENSSL_NO_SHA256
|
2385
|
+
#define ngx_ssl_session_ticket_md EVP_sha1
|
2386
|
+
#else
|
2387
|
+
#define ngx_ssl_session_ticket_md EVP_sha256
|
2388
|
+
#endif
|
2389
|
+
|
2390
|
+
|
2391
|
+
static int
|
2392
|
+
ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
|
2393
|
+
unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx,
|
2394
|
+
HMAC_CTX *hctx, int enc)
|
2395
|
+
{
|
2396
|
+
SSL_CTX *ssl_ctx;
|
2397
|
+
ngx_uint_t i;
|
2398
|
+
ngx_array_t *keys;
|
2399
|
+
ngx_ssl_session_ticket_key_t *key;
|
2400
|
+
#if (NGX_DEBUG)
|
2401
|
+
u_char buf[32];
|
2402
|
+
ngx_connection_t *c;
|
2403
|
+
#endif
|
2404
|
+
|
2405
|
+
ssl_ctx = SSL_get_SSL_CTX(ssl_conn);
|
2406
|
+
|
2407
|
+
keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index);
|
2408
|
+
if (keys == NULL) {
|
2409
|
+
return -1;
|
2410
|
+
}
|
2411
|
+
|
2412
|
+
key = keys->elts;
|
2413
|
+
|
2414
|
+
#if (NGX_DEBUG)
|
2415
|
+
c = ngx_ssl_get_connection(ssl_conn);
|
2416
|
+
#endif
|
2417
|
+
|
2418
|
+
if (enc == 1) {
|
2419
|
+
/* encrypt session ticket */
|
2420
|
+
|
2421
|
+
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
|
2422
|
+
"ssl session ticket encrypt, key: \"%*s\" (%s session)",
|
2423
|
+
ngx_hex_dump(buf, key[0].name, 16) - buf, buf,
|
2424
|
+
SSL_session_reused(ssl_conn) ? "reused" : "new");
|
2425
|
+
|
2426
|
+
RAND_pseudo_bytes(iv, 16);
|
2427
|
+
EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key[0].aes_key, iv);
|
2428
|
+
HMAC_Init_ex(hctx, key[0].hmac_key, 16,
|
2429
|
+
ngx_ssl_session_ticket_md(), NULL);
|
2430
|
+
memcpy(name, key[0].name, 16);
|
2431
|
+
|
2432
|
+
return 0;
|
2433
|
+
|
2434
|
+
} else {
|
2435
|
+
/* decrypt session ticket */
|
2436
|
+
|
2437
|
+
for (i = 0; i < keys->nelts; i++) {
|
2438
|
+
if (ngx_memcmp(name, key[i].name, 16) == 0) {
|
2439
|
+
goto found;
|
2440
|
+
}
|
2441
|
+
}
|
2442
|
+
|
2443
|
+
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
|
2444
|
+
"ssl session ticket decrypt, key: \"%*s\" not found",
|
2445
|
+
ngx_hex_dump(buf, name, 16) - buf, buf);
|
2446
|
+
|
2447
|
+
return 0;
|
2448
|
+
|
2449
|
+
found:
|
2450
|
+
|
2451
|
+
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
|
2452
|
+
"ssl session ticket decrypt, key: \"%*s\"%s",
|
2453
|
+
ngx_hex_dump(buf, key[i].name, 16) - buf, buf,
|
2454
|
+
(i == 0) ? " (default)" : "");
|
2455
|
+
|
2456
|
+
HMAC_Init_ex(hctx, key[i].hmac_key, 16,
|
2457
|
+
ngx_ssl_session_ticket_md(), NULL);
|
2458
|
+
EVP_DecryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key[i].aes_key, iv);
|
2459
|
+
|
2460
|
+
return (i == 0) ? 1 : 2 /* renew */;
|
2461
|
+
}
|
2462
|
+
}
|
2463
|
+
|
2464
|
+
#else
|
2465
|
+
|
2466
|
+
ngx_int_t
|
2467
|
+
ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths)
|
2468
|
+
{
|
2469
|
+
if (paths) {
|
2470
|
+
ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
|
2471
|
+
"\"ssl_session_ticket_keys\" ignored, not supported");
|
2472
|
+
}
|
2473
|
+
|
2474
|
+
return NGX_OK;
|
2475
|
+
}
|
2476
|
+
|
2477
|
+
#endif
|
2478
|
+
|
2479
|
+
|
2203
2480
|
void
|
2204
2481
|
ngx_ssl_cleanup_ctx(void *data)
|
2205
2482
|
{
|
@@ -2253,6 +2530,20 @@ ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
|
2253
2530
|
}
|
2254
2531
|
|
2255
2532
|
|
2533
|
+
ngx_int_t
|
2534
|
+
ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
2535
|
+
{
|
2536
|
+
if (SSL_session_reused(c->ssl->connection)) {
|
2537
|
+
ngx_str_set(s, "r");
|
2538
|
+
|
2539
|
+
} else {
|
2540
|
+
ngx_str_set(s, ".");
|
2541
|
+
}
|
2542
|
+
|
2543
|
+
return NGX_OK;
|
2544
|
+
}
|
2545
|
+
|
2546
|
+
|
2256
2547
|
ngx_int_t
|
2257
2548
|
ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
2258
2549
|
{
|