nginxtra 1.6.3.9 → 1.8.0.9
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/nginxtra +1 -1
- data/bin/nginxtra_rails +1 -1
- data/lib/nginxtra/version.rb +1 -1
- data/vendor/nginx/CHANGES +358 -14
- data/vendor/nginx/CHANGES.ru +372 -18
- data/vendor/nginx/LICENSE +2 -2
- data/vendor/nginx/auto/cc/clang +5 -0
- data/vendor/nginx/auto/cc/gcc +5 -0
- data/vendor/nginx/auto/lib/google-perftools/conf +1 -1
- data/vendor/nginx/auto/lib/openssl/make +0 -5
- data/vendor/nginx/auto/lib/perl/conf +9 -1
- data/vendor/nginx/auto/make +1 -1
- data/vendor/nginx/auto/modules +11 -0
- data/vendor/nginx/auto/options +10 -2
- data/vendor/nginx/auto/os/darwin +0 -1
- data/vendor/nginx/auto/os/freebsd +6 -23
- data/vendor/nginx/auto/sources +16 -14
- data/vendor/nginx/auto/summary +3 -24
- data/vendor/nginx/auto/threads +20 -0
- data/vendor/nginx/auto/types/sizeof +2 -12
- data/vendor/nginx/auto/unix +50 -6
- data/vendor/nginx/configure +5 -0
- data/vendor/nginx/contrib/vim/syntax/nginx.vim +183 -50
- data/vendor/nginx/src/core/nginx.c +21 -9
- data/vendor/nginx/src/core/nginx.h +8 -2
- data/vendor/nginx/src/core/ngx_buf.c +88 -0
- data/vendor/nginx/src/core/ngx_buf.h +15 -1
- data/vendor/nginx/src/core/ngx_conf_file.c +4 -1
- data/vendor/nginx/src/core/ngx_connection.c +25 -66
- data/vendor/nginx/src/core/ngx_connection.h +1 -3
- data/vendor/nginx/src/core/ngx_core.h +11 -3
- data/vendor/nginx/src/core/ngx_crypt.c +1 -1
- data/vendor/nginx/src/core/ngx_cycle.c +7 -1
- data/vendor/nginx/src/core/ngx_cycle.h +6 -2
- data/vendor/nginx/src/core/ngx_file.c +13 -5
- data/vendor/nginx/src/core/ngx_file.h +6 -0
- data/vendor/nginx/src/core/ngx_log.c +215 -21
- data/vendor/nginx/src/core/ngx_log.h +9 -1
- data/vendor/nginx/src/core/ngx_output_chain.c +104 -15
- data/vendor/nginx/src/core/ngx_palloc.c +3 -7
- data/vendor/nginx/src/core/ngx_rbtree.c +2 -4
- data/vendor/nginx/src/core/ngx_rbtree.h +2 -4
- data/vendor/nginx/src/core/ngx_regex.c +14 -6
- data/vendor/nginx/src/core/ngx_resolver.c +16 -23
- data/vendor/nginx/src/core/ngx_resolver.h +8 -7
- data/vendor/nginx/src/core/ngx_shmtx.c +1 -1
- data/vendor/nginx/src/core/ngx_slab.c +89 -2
- data/vendor/nginx/src/core/ngx_slab.h +3 -0
- data/vendor/nginx/src/core/ngx_string.c +58 -2
- data/vendor/nginx/src/core/ngx_string.h +1 -0
- data/vendor/nginx/src/core/ngx_syslog.c +374 -0
- data/vendor/nginx/src/core/ngx_syslog.h +30 -0
- data/vendor/nginx/src/core/ngx_thread_pool.c +630 -0
- data/vendor/nginx/src/core/ngx_thread_pool.h +36 -0
- data/vendor/nginx/src/core/ngx_times.c +19 -2
- data/vendor/nginx/src/core/ngx_times.h +1 -0
- data/vendor/nginx/src/event/modules/ngx_aio_module.c +1 -1
- data/vendor/nginx/src/event/modules/ngx_devpoll_module.c +9 -24
- data/vendor/nginx/src/event/modules/ngx_epoll_module.c +152 -28
- data/vendor/nginx/src/event/modules/ngx_eventport_module.c +43 -25
- data/vendor/nginx/src/event/modules/ngx_kqueue_module.c +86 -156
- data/vendor/nginx/src/event/modules/ngx_poll_module.c +21 -37
- data/vendor/nginx/src/event/modules/ngx_rtsig_module.c +15 -27
- data/vendor/nginx/src/event/modules/ngx_select_module.c +10 -12
- data/vendor/nginx/src/event/modules/ngx_win32_select_module.c +7 -9
- data/vendor/nginx/src/event/ngx_event.c +5 -33
- data/vendor/nginx/src/event/ngx_event.h +15 -50
- data/vendor/nginx/src/event/ngx_event_accept.c +11 -10
- data/vendor/nginx/src/event/ngx_event_connect.c +0 -11
- data/vendor/nginx/src/event/ngx_event_connect.h +1 -4
- data/vendor/nginx/src/event/ngx_event_openssl.c +622 -38
- data/vendor/nginx/src/event/ngx_event_openssl.h +20 -2
- data/vendor/nginx/src/event/ngx_event_openssl_stapling.c +5 -1
- data/vendor/nginx/src/event/ngx_event_pipe.c +45 -19
- data/vendor/nginx/src/event/ngx_event_pipe.h +3 -0
- data/vendor/nginx/src/event/ngx_event_posted.c +7 -145
- data/vendor/nginx/src/event/ngx_event_posted.h +12 -39
- data/vendor/nginx/src/event/ngx_event_timer.c +50 -70
- data/vendor/nginx/src/event/ngx_event_timer.h +2 -14
- data/vendor/nginx/src/http/modules/ngx_http_addition_filter_module.c +1 -1
- data/vendor/nginx/src/http/modules/ngx_http_autoindex_module.c +416 -71
- data/vendor/nginx/src/http/modules/ngx_http_charset_filter_module.c +19 -15
- data/vendor/nginx/src/http/modules/ngx_http_dav_module.c +16 -4
- data/vendor/nginx/src/http/modules/ngx_http_fastcgi_module.c +601 -134
- data/vendor/nginx/src/http/modules/ngx_http_geo_module.c +1 -1
- data/vendor/nginx/src/http/modules/ngx_http_geoip_module.c +9 -3
- data/vendor/nginx/src/http/modules/ngx_http_gunzip_filter_module.c +9 -3
- data/vendor/nginx/src/http/modules/ngx_http_gzip_filter_module.c +9 -3
- data/vendor/nginx/src/http/modules/ngx_http_gzip_static_module.c +0 -2
- data/vendor/nginx/src/http/modules/ngx_http_headers_filter_module.c +197 -91
- data/vendor/nginx/src/http/modules/ngx_http_image_filter_module.c +1 -0
- data/vendor/nginx/src/http/modules/ngx_http_limit_conn_module.c +65 -162
- data/vendor/nginx/src/http/modules/ngx_http_limit_req_module.c +53 -67
- data/vendor/nginx/src/http/modules/ngx_http_log_module.c +128 -23
- data/vendor/nginx/src/http/modules/ngx_http_memcached_module.c +25 -6
- data/vendor/nginx/src/http/modules/ngx_http_mp4_module.c +1 -1
- data/vendor/nginx/src/http/modules/ngx_http_not_modified_filter_module.c +39 -13
- data/vendor/nginx/src/http/modules/ngx_http_proxy_module.c +697 -141
- data/vendor/nginx/src/http/modules/ngx_http_rewrite_module.c +5 -1
- data/vendor/nginx/src/http/modules/ngx_http_scgi_module.c +282 -125
- data/vendor/nginx/src/http/modules/ngx_http_ssi_filter_module.c +4 -1
- data/vendor/nginx/src/http/modules/ngx_http_ssl_module.c +44 -1
- data/vendor/nginx/src/http/modules/ngx_http_ssl_module.h +2 -0
- data/vendor/nginx/src/http/modules/ngx_http_stub_status_module.c +10 -8
- data/vendor/nginx/src/http/modules/ngx_http_sub_filter_module.c +18 -3
- data/vendor/nginx/src/http/modules/ngx_http_upstream_hash_module.c +641 -0
- data/vendor/nginx/src/http/modules/ngx_http_upstream_ip_hash_module.c +1 -1
- data/vendor/nginx/src/http/modules/ngx_http_upstream_keepalive_module.c +3 -21
- data/vendor/nginx/src/http/modules/ngx_http_upstream_least_conn_module.c +0 -5
- data/vendor/nginx/src/http/modules/ngx_http_uwsgi_module.c +449 -125
- data/vendor/nginx/src/http/modules/ngx_http_xslt_filter_module.c +4 -2
- data/vendor/nginx/src/http/modules/perl/ngx_http_perl_module.c +2 -1
- data/vendor/nginx/src/http/ngx_http.c +10 -5
- data/vendor/nginx/src/http/ngx_http.h +4 -4
- data/vendor/nginx/src/http/ngx_http_cache.h +26 -1
- data/vendor/nginx/src/http/ngx_http_copy_filter_module.c +109 -68
- data/vendor/nginx/src/http/ngx_http_core_module.c +191 -46
- data/vendor/nginx/src/http/ngx_http_core_module.h +16 -4
- data/vendor/nginx/src/http/ngx_http_file_cache.c +584 -67
- data/vendor/nginx/src/http/ngx_http_parse.c +55 -4
- data/vendor/nginx/src/http/ngx_http_request.c +14 -6
- data/vendor/nginx/src/http/ngx_http_request.h +12 -4
- data/vendor/nginx/src/http/ngx_http_request_body.c +114 -28
- data/vendor/nginx/src/http/ngx_http_spdy.c +383 -229
- data/vendor/nginx/src/http/ngx_http_spdy.h +8 -5
- data/vendor/nginx/src/http/ngx_http_spdy_filter_module.c +12 -4
- data/vendor/nginx/src/http/ngx_http_special_response.c +2 -2
- data/vendor/nginx/src/http/ngx_http_upstream.c +808 -132
- data/vendor/nginx/src/http/ngx_http_upstream.h +33 -3
- data/vendor/nginx/src/http/ngx_http_upstream_round_robin.c +72 -65
- data/vendor/nginx/src/http/ngx_http_upstream_round_robin.h +1 -2
- data/vendor/nginx/src/http/ngx_http_variables.c +47 -3
- data/vendor/nginx/src/http/ngx_http_write_filter_module.c +15 -6
- data/vendor/nginx/src/mail/ngx_mail.c +2 -3
- data/vendor/nginx/src/mail/ngx_mail.h +2 -0
- data/vendor/nginx/src/mail/ngx_mail_auth_http_module.c +140 -11
- data/vendor/nginx/src/mail/ngx_mail_core_module.c +3 -3
- data/vendor/nginx/src/mail/ngx_mail_handler.c +79 -2
- data/vendor/nginx/src/mail/ngx_mail_imap_module.c +3 -1
- data/vendor/nginx/src/mail/ngx_mail_pop3_module.c +3 -1
- data/vendor/nginx/src/mail/ngx_mail_smtp_module.c +3 -1
- data/vendor/nginx/src/mail/ngx_mail_ssl_module.c +125 -1
- data/vendor/nginx/src/mail/ngx_mail_ssl_module.h +8 -0
- data/vendor/nginx/src/misc/ngx_cpp_test_module.cpp +1 -1
- data/vendor/nginx/src/os/unix/ngx_aio_read_chain.c +1 -1
- data/vendor/nginx/src/os/unix/ngx_channel.c +0 -7
- data/vendor/nginx/src/os/unix/ngx_darwin_config.h +0 -3
- data/vendor/nginx/src/os/unix/ngx_darwin_sendfile_chain.c +44 -208
- data/vendor/nginx/src/os/unix/ngx_file_aio_read.c +25 -17
- data/vendor/nginx/src/os/unix/ngx_files.c +109 -0
- data/vendor/nginx/src/os/unix/ngx_files.h +6 -0
- data/vendor/nginx/src/os/unix/ngx_freebsd_config.h +0 -6
- data/vendor/nginx/src/os/unix/ngx_freebsd_sendfile_chain.c +78 -206
- data/vendor/nginx/src/os/unix/ngx_linux_aio_read.c +25 -14
- data/vendor/nginx/src/os/unix/ngx_linux_config.h +4 -1
- data/vendor/nginx/src/os/unix/ngx_linux_sendfile_chain.c +235 -194
- data/vendor/nginx/src/os/unix/ngx_os.h +25 -3
- data/vendor/nginx/src/os/unix/ngx_posix_init.c +4 -2
- data/vendor/nginx/src/os/unix/ngx_process_cycle.c +13 -195
- data/vendor/nginx/src/os/unix/ngx_process_cycle.h +0 -1
- data/vendor/nginx/src/os/unix/ngx_readv_chain.c +27 -108
- data/vendor/nginx/src/os/unix/ngx_setproctitle.h +2 -2
- data/vendor/nginx/src/os/unix/ngx_solaris_sendfilev_chain.c +12 -67
- data/vendor/nginx/src/os/unix/ngx_thread.h +26 -83
- data/vendor/nginx/src/os/unix/ngx_thread_cond.c +87 -0
- data/vendor/nginx/src/os/unix/ngx_thread_id.c +70 -0
- data/vendor/nginx/src/os/unix/ngx_thread_mutex.c +174 -0
- data/vendor/nginx/src/os/unix/ngx_user.c +2 -20
- data/vendor/nginx/src/os/unix/ngx_writev_chain.c +129 -98
- metadata +16 -17
- data/vendor/nginx/auto/lib/zlib/patch.zlib.h +0 -10
- data/vendor/nginx/src/event/ngx_event_busy_lock.c +0 -286
- data/vendor/nginx/src/event/ngx_event_busy_lock.h +0 -65
- data/vendor/nginx/src/event/ngx_event_mutex.c +0 -70
- data/vendor/nginx/src/http/ngx_http_busy_lock.c +0 -307
- data/vendor/nginx/src/http/ngx_http_busy_lock.h +0 -54
- data/vendor/nginx/src/os/unix/ngx_freebsd_rfork_thread.c +0 -756
- data/vendor/nginx/src/os/unix/ngx_freebsd_rfork_thread.h +0 -122
- data/vendor/nginx/src/os/unix/ngx_pthread_thread.c +0 -278
- data/vendor/nginx/src/os/unix/rfork_thread.S +0 -73
@@ -27,14 +27,6 @@ typedef struct {
|
|
27
27
|
#endif
|
28
28
|
|
29
29
|
|
30
|
-
typedef struct {
|
31
|
-
ngx_uint_t lock;
|
32
|
-
|
33
|
-
ngx_event_t *events;
|
34
|
-
ngx_event_t *last;
|
35
|
-
} ngx_event_mutex_t;
|
36
|
-
|
37
|
-
|
38
30
|
struct ngx_event_s {
|
39
31
|
void *data;
|
40
32
|
|
@@ -74,9 +66,7 @@ struct ngx_event_s {
|
|
74
66
|
/* the pending eof reported by kqueue, epoll or in aio chain operation */
|
75
67
|
unsigned pending_eof:1;
|
76
68
|
|
77
|
-
|
78
|
-
unsigned posted_ready:1;
|
79
|
-
#endif
|
69
|
+
unsigned posted:1;
|
80
70
|
|
81
71
|
#if (NGX_WIN32)
|
82
72
|
/* setsockopt(SO_UPDATE_ACCEPT_CONTEXT) was successful */
|
@@ -129,39 +119,16 @@ struct ngx_event_s {
|
|
129
119
|
|
130
120
|
ngx_rbtree_node_t timer;
|
131
121
|
|
122
|
+
/* the posted queue */
|
123
|
+
ngx_queue_t queue;
|
124
|
+
|
132
125
|
unsigned closed:1;
|
133
126
|
|
134
127
|
/* to test on worker exit */
|
135
128
|
unsigned channel:1;
|
136
129
|
unsigned resolver:1;
|
137
130
|
|
138
|
-
|
139
|
-
|
140
|
-
unsigned locked:1;
|
141
|
-
|
142
|
-
unsigned posted_ready:1;
|
143
|
-
unsigned posted_timedout:1;
|
144
|
-
unsigned posted_eof:1;
|
145
|
-
|
146
|
-
#if (NGX_HAVE_KQUEUE)
|
147
|
-
/* the pending errno reported by kqueue */
|
148
|
-
int posted_errno;
|
149
|
-
#endif
|
150
|
-
|
151
|
-
#if (NGX_HAVE_KQUEUE) || (NGX_HAVE_IOCP)
|
152
|
-
int posted_available;
|
153
|
-
#else
|
154
|
-
unsigned posted_available:1;
|
155
|
-
#endif
|
156
|
-
|
157
|
-
ngx_atomic_t *lock;
|
158
|
-
ngx_atomic_t *own_lock;
|
159
|
-
|
160
|
-
#endif
|
161
|
-
|
162
|
-
/* the links of the posted queue */
|
163
|
-
ngx_event_t *next;
|
164
|
-
ngx_event_t **prev;
|
131
|
+
unsigned cancelable:1;
|
165
132
|
|
166
133
|
|
167
134
|
#if 0
|
@@ -193,23 +160,21 @@ struct ngx_event_aio_s {
|
|
193
160
|
ngx_event_handler_pt handler;
|
194
161
|
ngx_file_t *file;
|
195
162
|
|
163
|
+
#if (NGX_HAVE_AIO_SENDFILE)
|
164
|
+
ssize_t (*preload_handler)(ngx_buf_t *file);
|
165
|
+
#endif
|
166
|
+
|
196
167
|
ngx_fd_t fd;
|
197
168
|
|
198
169
|
#if (NGX_HAVE_EVENTFD)
|
199
170
|
int64_t res;
|
200
|
-
#if (NGX_TEST_BUILD_EPOLL)
|
201
|
-
ngx_err_t err;
|
202
|
-
size_t nbytes;
|
203
171
|
#endif
|
204
|
-
|
172
|
+
|
173
|
+
#if !(NGX_HAVE_EVENTFD) || (NGX_TEST_BUILD_EPOLL)
|
205
174
|
ngx_err_t err;
|
206
175
|
size_t nbytes;
|
207
176
|
#endif
|
208
177
|
|
209
|
-
#if (NGX_HAVE_AIO_SENDFILE)
|
210
|
-
off_t last_offset;
|
211
|
-
#endif
|
212
|
-
|
213
178
|
ngx_aiocb_t aiocb;
|
214
179
|
ngx_event_t event;
|
215
180
|
};
|
@@ -227,7 +192,8 @@ typedef struct {
|
|
227
192
|
ngx_int_t (*add_conn)(ngx_connection_t *c);
|
228
193
|
ngx_int_t (*del_conn)(ngx_connection_t *c, ngx_uint_t flags);
|
229
194
|
|
230
|
-
ngx_int_t (*
|
195
|
+
ngx_int_t (*notify)(ngx_event_handler_pt handler);
|
196
|
+
|
231
197
|
ngx_int_t (*process_events)(ngx_cycle_t *cycle, ngx_msec_t timer,
|
232
198
|
ngx_uint_t flags);
|
233
199
|
|
@@ -440,7 +406,6 @@ extern ngx_event_actions_t ngx_event_actions;
|
|
440
406
|
#endif
|
441
407
|
|
442
408
|
|
443
|
-
#define ngx_process_changes ngx_event_actions.process_changes
|
444
409
|
#define ngx_process_events ngx_event_actions.process_events
|
445
410
|
#define ngx_done_events ngx_event_actions.done
|
446
411
|
|
@@ -449,6 +414,8 @@ extern ngx_event_actions_t ngx_event_actions;
|
|
449
414
|
#define ngx_add_conn ngx_event_actions.add_conn
|
450
415
|
#define ngx_del_conn ngx_event_actions.del_conn
|
451
416
|
|
417
|
+
#define ngx_notify ngx_event_actions.notify
|
418
|
+
|
452
419
|
#define ngx_add_timer ngx_event_add_timer
|
453
420
|
#define ngx_del_timer ngx_event_del_timer
|
454
421
|
|
@@ -519,7 +486,6 @@ extern ngx_atomic_t *ngx_stat_waiting;
|
|
519
486
|
|
520
487
|
#define NGX_UPDATE_TIME 1
|
521
488
|
#define NGX_POST_EVENTS 2
|
522
|
-
#define NGX_POST_THREAD_EVENTS 4
|
523
489
|
|
524
490
|
|
525
491
|
extern sig_atomic_t ngx_event_timer_alarm;
|
@@ -559,7 +525,6 @@ ngx_int_t ngx_send_lowat(ngx_connection_t *c, size_t lowat);
|
|
559
525
|
|
560
526
|
#include <ngx_event_timer.h>
|
561
527
|
#include <ngx_event_posted.h>
|
562
|
-
#include <ngx_event_busy_lock.h>
|
563
528
|
|
564
529
|
#if (NGX_WIN32)
|
565
530
|
#include <ngx_iocp_module.h>
|
@@ -262,13 +262,6 @@ ngx_event_accept(ngx_event_t *ev)
|
|
262
262
|
(void) ngx_atomic_fetch_add(ngx_stat_handled, 1);
|
263
263
|
#endif
|
264
264
|
|
265
|
-
#if (NGX_THREADS)
|
266
|
-
rev->lock = &c->lock;
|
267
|
-
wev->lock = &c->lock;
|
268
|
-
rev->own_lock = &c->lock;
|
269
|
-
wev->own_lock = &c->lock;
|
270
|
-
#endif
|
271
|
-
|
272
265
|
if (ls->addr_ntop) {
|
273
266
|
c->addr_text.data = ngx_pnalloc(c->pool, ls->addr_text_max_len);
|
274
267
|
if (c->addr_text.data == NULL) {
|
@@ -288,9 +281,11 @@ ngx_event_accept(ngx_event_t *ev)
|
|
288
281
|
#if (NGX_DEBUG)
|
289
282
|
{
|
290
283
|
|
284
|
+
ngx_str_t addr;
|
291
285
|
struct sockaddr_in *sin;
|
292
286
|
ngx_cidr_t *cidr;
|
293
287
|
ngx_uint_t i;
|
288
|
+
u_char text[NGX_SOCKADDR_STRLEN];
|
294
289
|
#if (NGX_HAVE_INET6)
|
295
290
|
struct sockaddr_in6 *sin6;
|
296
291
|
ngx_uint_t n;
|
@@ -340,12 +335,18 @@ ngx_event_accept(ngx_event_t *ev)
|
|
340
335
|
continue;
|
341
336
|
}
|
342
337
|
|
338
|
+
if (log->log_level & NGX_LOG_DEBUG_EVENT) {
|
339
|
+
addr.data = text;
|
340
|
+
addr.len = ngx_sock_ntop(c->sockaddr, c->socklen, text,
|
341
|
+
NGX_SOCKADDR_STRLEN, 1);
|
342
|
+
|
343
|
+
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, log, 0,
|
344
|
+
"*%uA accept: %V fd:%d", c->number, &addr, s);
|
345
|
+
}
|
346
|
+
|
343
347
|
}
|
344
348
|
#endif
|
345
349
|
|
346
|
-
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, log, 0,
|
347
|
-
"*%uA accept: %V fd:%d", c->number, &c->addr_text, s);
|
348
|
-
|
349
350
|
if (ngx_add_conn && (ngx_event_flags & NGX_USE_EPOLL_EVENT) == 0) {
|
350
351
|
if (ngx_add_conn(c) == NGX_ERROR) {
|
351
352
|
ngx_close_accepted_connection(c);
|
@@ -104,17 +104,6 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
|
|
104
104
|
|
105
105
|
c->number = ngx_atomic_fetch_add(ngx_connection_counter, 1);
|
106
106
|
|
107
|
-
#if (NGX_THREADS)
|
108
|
-
|
109
|
-
/* TODO: lock event when call completion handler */
|
110
|
-
|
111
|
-
rev->lock = pc->lock;
|
112
|
-
wev->lock = pc->lock;
|
113
|
-
rev->own_lock = &c->lock;
|
114
|
-
wev->own_lock = &c->lock;
|
115
|
-
|
116
|
-
#endif
|
117
|
-
|
118
107
|
if (ngx_add_conn) {
|
119
108
|
if (ngx_add_conn(c) == NGX_ERROR) {
|
120
109
|
goto failed;
|
@@ -42,6 +42,7 @@ struct ngx_peer_connection_s {
|
|
42
42
|
ngx_str_t *name;
|
43
43
|
|
44
44
|
ngx_uint_t tries;
|
45
|
+
ngx_msec_t start_time;
|
45
46
|
|
46
47
|
ngx_event_get_peer_pt get;
|
47
48
|
ngx_event_free_peer_pt free;
|
@@ -52,10 +53,6 @@ struct ngx_peer_connection_s {
|
|
52
53
|
ngx_event_save_peer_session_pt save_session;
|
53
54
|
#endif
|
54
55
|
|
55
|
-
#if (NGX_THREADS)
|
56
|
-
ngx_atomic_t *lock;
|
57
|
-
#endif
|
58
|
-
|
59
56
|
ngx_addr_t *local;
|
60
57
|
|
61
58
|
int rcvbuf;
|
@@ -10,14 +10,20 @@
|
|
10
10
|
#include <ngx_event.h>
|
11
11
|
|
12
12
|
|
13
|
+
#define NGX_SSL_PASSWORD_BUFFER_SIZE 4096
|
14
|
+
|
15
|
+
|
13
16
|
typedef struct {
|
14
17
|
ngx_uint_t engine; /* unsigned engine:1; */
|
15
18
|
} ngx_openssl_conf_t;
|
16
19
|
|
17
20
|
|
21
|
+
static int ngx_ssl_password_callback(char *buf, int size, int rwflag,
|
22
|
+
void *userdata);
|
18
23
|
static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
|
19
24
|
static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
|
20
25
|
int ret);
|
26
|
+
static void ngx_ssl_passwords_cleanup(void *data);
|
21
27
|
static void ngx_ssl_handshake_handler(ngx_event_t *ev);
|
22
28
|
static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
|
23
29
|
static void ngx_ssl_write_handler(ngx_event_t *wev);
|
@@ -46,6 +52,10 @@ static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
|
|
46
52
|
HMAC_CTX *hctx, int enc);
|
47
53
|
#endif
|
48
54
|
|
55
|
+
#if (OPENSSL_VERSION_NUMBER < 0x10002002L || defined LIBRESSL_VERSION_NUMBER)
|
56
|
+
static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str);
|
57
|
+
#endif
|
58
|
+
|
49
59
|
static void *ngx_openssl_create_conf(ngx_cycle_t *cycle);
|
50
60
|
static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
|
51
61
|
static void ngx_openssl_exit(ngx_cycle_t *cycle);
|
@@ -98,7 +108,9 @@ int ngx_ssl_stapling_index;
|
|
98
108
|
ngx_int_t
|
99
109
|
ngx_ssl_init(ngx_log_t *log)
|
100
110
|
{
|
111
|
+
#ifndef OPENSSL_IS_BORINGSSL
|
101
112
|
OPENSSL_config(NULL);
|
113
|
+
#endif
|
102
114
|
|
103
115
|
SSL_library_init();
|
104
116
|
SSL_load_error_strings();
|
@@ -196,27 +208,53 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
|
196
208
|
|
197
209
|
/* client side options */
|
198
210
|
|
211
|
+
#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
|
199
212
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
|
213
|
+
#endif
|
214
|
+
|
215
|
+
#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
|
200
216
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
|
217
|
+
#endif
|
201
218
|
|
202
219
|
/* server side options */
|
203
220
|
|
221
|
+
#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
|
204
222
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
|
223
|
+
#endif
|
224
|
+
|
225
|
+
#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
|
205
226
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
|
227
|
+
#endif
|
206
228
|
|
207
229
|
#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
|
208
230
|
/* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
|
209
231
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
|
210
232
|
#endif
|
211
233
|
|
234
|
+
#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
|
212
235
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
|
236
|
+
#endif
|
237
|
+
|
238
|
+
#ifdef SSL_OP_TLS_D5_BUG
|
213
239
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
|
240
|
+
#endif
|
241
|
+
|
242
|
+
#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
|
214
243
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
|
244
|
+
#endif
|
215
245
|
|
246
|
+
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
|
216
247
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
|
248
|
+
#endif
|
217
249
|
|
218
250
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
|
219
251
|
|
252
|
+
#ifdef SSL_CTRL_CLEAR_OPTIONS
|
253
|
+
/* only in 0.9.8m+ */
|
254
|
+
SSL_CTX_clear_options(ssl->ctx,
|
255
|
+
SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
|
256
|
+
#endif
|
257
|
+
|
220
258
|
if (!(protocols & NGX_SSL_SSLv2)) {
|
221
259
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
|
222
260
|
}
|
@@ -227,11 +265,13 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
|
227
265
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
|
228
266
|
}
|
229
267
|
#ifdef SSL_OP_NO_TLSv1_1
|
268
|
+
SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
|
230
269
|
if (!(protocols & NGX_SSL_TLSv1_1)) {
|
231
270
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
|
232
271
|
}
|
233
272
|
#endif
|
234
273
|
#ifdef SSL_OP_NO_TLSv1_2
|
274
|
+
SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
|
235
275
|
if (!(protocols & NGX_SSL_TLSv1_2)) {
|
236
276
|
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
|
237
277
|
}
|
@@ -245,6 +285,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
|
245
285
|
SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
|
246
286
|
#endif
|
247
287
|
|
288
|
+
#ifdef SSL_MODE_NO_AUTO_CHAIN
|
289
|
+
SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN);
|
290
|
+
#endif
|
291
|
+
|
248
292
|
SSL_CTX_set_read_ahead(ssl->ctx, 1);
|
249
293
|
|
250
294
|
SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
|
@@ -255,11 +299,13 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
|
255
299
|
|
256
300
|
ngx_int_t
|
257
301
|
ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
258
|
-
ngx_str_t *key)
|
302
|
+
ngx_str_t *key, ngx_array_t *passwords)
|
259
303
|
{
|
260
|
-
BIO
|
261
|
-
X509
|
262
|
-
u_long
|
304
|
+
BIO *bio;
|
305
|
+
X509 *x509;
|
306
|
+
u_long n;
|
307
|
+
ngx_str_t *pwd;
|
308
|
+
ngx_uint_t tries;
|
263
309
|
|
264
310
|
if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
|
265
311
|
return NGX_ERROR;
|
@@ -342,23 +388,135 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
|
342
388
|
|
343
389
|
BIO_free(bio);
|
344
390
|
|
391
|
+
if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
|
392
|
+
|
393
|
+
#ifndef OPENSSL_NO_ENGINE
|
394
|
+
|
395
|
+
u_char *p, *last;
|
396
|
+
ENGINE *engine;
|
397
|
+
EVP_PKEY *pkey;
|
398
|
+
|
399
|
+
p = key->data + sizeof("engine:") - 1;
|
400
|
+
last = (u_char *) ngx_strchr(p, ':');
|
401
|
+
|
402
|
+
if (last == NULL) {
|
403
|
+
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
404
|
+
"invalid syntax in \"%V\"", key);
|
405
|
+
return NGX_ERROR;
|
406
|
+
}
|
407
|
+
|
408
|
+
*last = '\0';
|
409
|
+
|
410
|
+
engine = ENGINE_by_id((char *) p);
|
411
|
+
|
412
|
+
if (engine == NULL) {
|
413
|
+
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
414
|
+
"ENGINE_by_id(\"%s\") failed", p);
|
415
|
+
return NGX_ERROR;
|
416
|
+
}
|
417
|
+
|
418
|
+
*last++ = ':';
|
419
|
+
|
420
|
+
pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
|
421
|
+
|
422
|
+
if (pkey == NULL) {
|
423
|
+
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
424
|
+
"ENGINE_load_private_key(\"%s\") failed", last);
|
425
|
+
ENGINE_free(engine);
|
426
|
+
return NGX_ERROR;
|
427
|
+
}
|
428
|
+
|
429
|
+
ENGINE_free(engine);
|
430
|
+
|
431
|
+
if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {
|
432
|
+
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
433
|
+
"SSL_CTX_use_PrivateKey(\"%s\") failed", last);
|
434
|
+
EVP_PKEY_free(pkey);
|
435
|
+
return NGX_ERROR;
|
436
|
+
}
|
437
|
+
|
438
|
+
EVP_PKEY_free(pkey);
|
439
|
+
|
440
|
+
return NGX_OK;
|
441
|
+
|
442
|
+
#else
|
443
|
+
|
444
|
+
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
445
|
+
"loading \"engine:...\" certificate keys "
|
446
|
+
"is not supported");
|
447
|
+
return NGX_ERROR;
|
448
|
+
|
449
|
+
#endif
|
450
|
+
}
|
451
|
+
|
345
452
|
if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
|
346
453
|
return NGX_ERROR;
|
347
454
|
}
|
348
455
|
|
349
|
-
if (
|
350
|
-
|
351
|
-
|
352
|
-
|
456
|
+
if (passwords) {
|
457
|
+
tries = passwords->nelts;
|
458
|
+
pwd = passwords->elts;
|
459
|
+
|
460
|
+
SSL_CTX_set_default_passwd_cb(ssl->ctx, ngx_ssl_password_callback);
|
461
|
+
SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, pwd);
|
462
|
+
|
463
|
+
} else {
|
464
|
+
tries = 1;
|
465
|
+
#if (NGX_SUPPRESS_WARN)
|
466
|
+
pwd = NULL;
|
467
|
+
#endif
|
468
|
+
}
|
469
|
+
|
470
|
+
for ( ;; ) {
|
471
|
+
|
472
|
+
if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data,
|
473
|
+
SSL_FILETYPE_PEM)
|
474
|
+
!= 0)
|
475
|
+
{
|
476
|
+
break;
|
477
|
+
}
|
478
|
+
|
479
|
+
if (--tries) {
|
480
|
+
ERR_clear_error();
|
481
|
+
SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, ++pwd);
|
482
|
+
continue;
|
483
|
+
}
|
484
|
+
|
353
485
|
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
354
486
|
"SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
|
355
487
|
return NGX_ERROR;
|
356
488
|
}
|
357
489
|
|
490
|
+
SSL_CTX_set_default_passwd_cb(ssl->ctx, NULL);
|
491
|
+
|
358
492
|
return NGX_OK;
|
359
493
|
}
|
360
494
|
|
361
495
|
|
496
|
+
static int
|
497
|
+
ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata)
|
498
|
+
{
|
499
|
+
ngx_str_t *pwd = userdata;
|
500
|
+
|
501
|
+
if (rwflag) {
|
502
|
+
ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0,
|
503
|
+
"ngx_ssl_password_callback() is called for encryption");
|
504
|
+
return 0;
|
505
|
+
}
|
506
|
+
|
507
|
+
if (pwd->len > (size_t) size) {
|
508
|
+
ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0,
|
509
|
+
"password is truncated to %d bytes", size);
|
510
|
+
} else {
|
511
|
+
size = pwd->len;
|
512
|
+
}
|
513
|
+
|
514
|
+
ngx_memcpy(buf, pwd->data, size);
|
515
|
+
|
516
|
+
return size;
|
517
|
+
}
|
518
|
+
|
519
|
+
|
362
520
|
ngx_int_t
|
363
521
|
ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
364
522
|
ngx_int_t depth)
|
@@ -521,7 +679,7 @@ ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
|
|
521
679
|
|
522
680
|
ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
523
681
|
"verify:%d, error:%d, depth:%d, "
|
524
|
-
"subject:\"%s\",issuer
|
682
|
+
"subject:\"%s\", issuer:\"%s\"",
|
525
683
|
ok, err, depth, subject, issuer);
|
526
684
|
|
527
685
|
if (sname) {
|
@@ -585,16 +743,164 @@ ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
|
|
585
743
|
{
|
586
744
|
static RSA *key;
|
587
745
|
|
588
|
-
if (key_length
|
589
|
-
|
590
|
-
key = RSA_generate_key(512, RSA_F4, NULL, NULL);
|
591
|
-
}
|
746
|
+
if (key_length != 512) {
|
747
|
+
return NULL;
|
592
748
|
}
|
593
749
|
|
750
|
+
#ifndef OPENSSL_NO_DEPRECATED
|
751
|
+
|
752
|
+
if (key == NULL) {
|
753
|
+
key = RSA_generate_key(512, RSA_F4, NULL, NULL);
|
754
|
+
}
|
755
|
+
|
756
|
+
#endif
|
757
|
+
|
594
758
|
return key;
|
595
759
|
}
|
596
760
|
|
597
761
|
|
762
|
+
ngx_array_t *
|
763
|
+
ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file)
|
764
|
+
{
|
765
|
+
u_char *p, *last, *end;
|
766
|
+
size_t len;
|
767
|
+
ssize_t n;
|
768
|
+
ngx_fd_t fd;
|
769
|
+
ngx_str_t *pwd;
|
770
|
+
ngx_array_t *passwords;
|
771
|
+
ngx_pool_cleanup_t *cln;
|
772
|
+
u_char buf[NGX_SSL_PASSWORD_BUFFER_SIZE];
|
773
|
+
|
774
|
+
if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
|
775
|
+
return NULL;
|
776
|
+
}
|
777
|
+
|
778
|
+
cln = ngx_pool_cleanup_add(cf->temp_pool, 0);
|
779
|
+
passwords = ngx_array_create(cf->temp_pool, 4, sizeof(ngx_str_t));
|
780
|
+
|
781
|
+
if (cln == NULL || passwords == NULL) {
|
782
|
+
return NULL;
|
783
|
+
}
|
784
|
+
|
785
|
+
cln->handler = ngx_ssl_passwords_cleanup;
|
786
|
+
cln->data = passwords;
|
787
|
+
|
788
|
+
fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0);
|
789
|
+
if (fd == NGX_INVALID_FILE) {
|
790
|
+
ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
|
791
|
+
ngx_open_file_n " \"%s\" failed", file->data);
|
792
|
+
return NULL;
|
793
|
+
}
|
794
|
+
|
795
|
+
len = 0;
|
796
|
+
last = buf;
|
797
|
+
|
798
|
+
do {
|
799
|
+
n = ngx_read_fd(fd, last, NGX_SSL_PASSWORD_BUFFER_SIZE - len);
|
800
|
+
|
801
|
+
if (n == -1) {
|
802
|
+
ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
|
803
|
+
ngx_read_fd_n " \"%s\" failed", file->data);
|
804
|
+
passwords = NULL;
|
805
|
+
goto cleanup;
|
806
|
+
}
|
807
|
+
|
808
|
+
end = last + n;
|
809
|
+
|
810
|
+
if (len && n == 0) {
|
811
|
+
*end++ = LF;
|
812
|
+
}
|
813
|
+
|
814
|
+
p = buf;
|
815
|
+
|
816
|
+
for ( ;; ) {
|
817
|
+
last = ngx_strlchr(last, end, LF);
|
818
|
+
|
819
|
+
if (last == NULL) {
|
820
|
+
break;
|
821
|
+
}
|
822
|
+
|
823
|
+
len = last++ - p;
|
824
|
+
|
825
|
+
if (len && p[len - 1] == CR) {
|
826
|
+
len--;
|
827
|
+
}
|
828
|
+
|
829
|
+
if (len) {
|
830
|
+
pwd = ngx_array_push(passwords);
|
831
|
+
if (pwd == NULL) {
|
832
|
+
passwords = NULL;
|
833
|
+
goto cleanup;
|
834
|
+
}
|
835
|
+
|
836
|
+
pwd->len = len;
|
837
|
+
pwd->data = ngx_pnalloc(cf->temp_pool, len);
|
838
|
+
|
839
|
+
if (pwd->data == NULL) {
|
840
|
+
passwords->nelts--;
|
841
|
+
passwords = NULL;
|
842
|
+
goto cleanup;
|
843
|
+
}
|
844
|
+
|
845
|
+
ngx_memcpy(pwd->data, p, len);
|
846
|
+
}
|
847
|
+
|
848
|
+
p = last;
|
849
|
+
}
|
850
|
+
|
851
|
+
len = end - p;
|
852
|
+
|
853
|
+
if (len == NGX_SSL_PASSWORD_BUFFER_SIZE) {
|
854
|
+
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
855
|
+
"too long line in \"%s\"", file->data);
|
856
|
+
passwords = NULL;
|
857
|
+
goto cleanup;
|
858
|
+
}
|
859
|
+
|
860
|
+
ngx_memmove(buf, p, len);
|
861
|
+
last = buf + len;
|
862
|
+
|
863
|
+
} while (n != 0);
|
864
|
+
|
865
|
+
if (passwords->nelts == 0) {
|
866
|
+
pwd = ngx_array_push(passwords);
|
867
|
+
if (pwd == NULL) {
|
868
|
+
passwords = NULL;
|
869
|
+
goto cleanup;
|
870
|
+
}
|
871
|
+
|
872
|
+
ngx_memzero(pwd, sizeof(ngx_str_t));
|
873
|
+
}
|
874
|
+
|
875
|
+
cleanup:
|
876
|
+
|
877
|
+
if (ngx_close_file(fd) == NGX_FILE_ERROR) {
|
878
|
+
ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno,
|
879
|
+
ngx_close_file_n " \"%s\" failed", file->data);
|
880
|
+
}
|
881
|
+
|
882
|
+
ngx_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE);
|
883
|
+
|
884
|
+
return passwords;
|
885
|
+
}
|
886
|
+
|
887
|
+
|
888
|
+
static void
|
889
|
+
ngx_ssl_passwords_cleanup(void *data)
|
890
|
+
{
|
891
|
+
ngx_array_t *passwords = data;
|
892
|
+
|
893
|
+
ngx_str_t *pwd;
|
894
|
+
ngx_uint_t i;
|
895
|
+
|
896
|
+
pwd = passwords->elts;
|
897
|
+
|
898
|
+
for (i = 0; i < passwords->nelts; i++) {
|
899
|
+
ngx_memzero(pwd[i].data, pwd[i].len);
|
900
|
+
}
|
901
|
+
}
|
902
|
+
|
903
|
+
|
598
904
|
ngx_int_t
|
599
905
|
ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
|
600
906
|
{
|
@@ -852,11 +1158,15 @@ ngx_ssl_handshake(ngx_connection_t *c)
|
|
852
1158
|
c->recv_chain = ngx_ssl_recv_chain;
|
853
1159
|
c->send_chain = ngx_ssl_send_chain;
|
854
1160
|
|
1161
|
+
#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
|
1162
|
+
|
855
1163
|
/* initial handshake done, disable renegotiation (CVE-2009-3555) */
|
856
1164
|
if (c->ssl->connection->s3) {
|
857
1165
|
c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
|
858
1166
|
}
|
859
1167
|
|
1168
|
+
#endif
|
1169
|
+
|
860
1170
|
return NGX_OK;
|
861
1171
|
}
|
862
1172
|
|
@@ -903,8 +1213,8 @@ ngx_ssl_handshake(ngx_connection_t *c)
|
|
903
1213
|
c->read->eof = 1;
|
904
1214
|
|
905
1215
|
if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
|
906
|
-
|
907
|
-
|
1216
|
+
ngx_connection_error(c, err,
|
1217
|
+
"peer closed connection in SSL handshake");
|
908
1218
|
|
909
1219
|
return NGX_ERROR;
|
910
1220
|
}
|
@@ -941,10 +1251,10 @@ ngx_ssl_handshake_handler(ngx_event_t *ev)
|
|
941
1251
|
|
942
1252
|
|
943
1253
|
ssize_t
|
944
|
-
ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl)
|
1254
|
+
ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit)
|
945
1255
|
{
|
946
1256
|
u_char *last;
|
947
|
-
ssize_t n, bytes;
|
1257
|
+
ssize_t n, bytes, size;
|
948
1258
|
ngx_buf_t *b;
|
949
1259
|
|
950
1260
|
bytes = 0;
|
@@ -953,8 +1263,19 @@ ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl)
|
|
953
1263
|
last = b->last;
|
954
1264
|
|
955
1265
|
for ( ;; ) {
|
1266
|
+
size = b->end - last;
|
956
1267
|
|
957
|
-
|
1268
|
+
if (limit) {
|
1269
|
+
if (bytes >= limit) {
|
1270
|
+
return bytes;
|
1271
|
+
}
|
1272
|
+
|
1273
|
+
if (bytes + size > limit) {
|
1274
|
+
size = (ssize_t) (limit - bytes);
|
1275
|
+
}
|
1276
|
+
}
|
1277
|
+
|
1278
|
+
n = ngx_ssl_recv(c, last, size);
|
958
1279
|
|
959
1280
|
if (n > 0) {
|
960
1281
|
last += n;
|
@@ -1207,7 +1528,6 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
|
|
1207
1528
|
}
|
1208
1529
|
|
1209
1530
|
in->buf->pos += n;
|
1210
|
-
c->sent += n;
|
1211
1531
|
|
1212
1532
|
if (in->buf->pos == in->buf->last) {
|
1213
1533
|
in = in->next;
|
@@ -1308,7 +1628,6 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
|
|
1308
1628
|
}
|
1309
1629
|
|
1310
1630
|
buf->pos += n;
|
1311
|
-
c->sent += n;
|
1312
1631
|
|
1313
1632
|
if (n < size) {
|
1314
1633
|
break;
|
@@ -1366,6 +1685,8 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size)
|
|
1366
1685
|
ngx_post_event(c->read, &ngx_posted_events);
|
1367
1686
|
}
|
1368
1687
|
|
1688
|
+
c->sent += n;
|
1689
|
+
|
1369
1690
|
return n;
|
1370
1691
|
}
|
1371
1692
|
|
@@ -1958,9 +2279,10 @@ static int
|
|
1958
2279
|
ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
|
1959
2280
|
{
|
1960
2281
|
int len;
|
1961
|
-
u_char *p, *id, *cached_sess;
|
2282
|
+
u_char *p, *id, *cached_sess, *session_id;
|
1962
2283
|
uint32_t hash;
|
1963
2284
|
SSL_CTX *ssl_ctx;
|
2285
|
+
unsigned int session_id_length;
|
1964
2286
|
ngx_shm_zone_t *shm_zone;
|
1965
2287
|
ngx_connection_t *c;
|
1966
2288
|
ngx_slab_pool_t *shpool;
|
@@ -2023,13 +2345,24 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
|
|
2023
2345
|
}
|
2024
2346
|
}
|
2025
2347
|
|
2348
|
+
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
|
2349
|
+
|
2350
|
+
session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
|
2351
|
+
|
2352
|
+
#else
|
2353
|
+
|
2354
|
+
session_id = sess->session_id;
|
2355
|
+
session_id_length = sess->session_id_length;
|
2356
|
+
|
2357
|
+
#endif
|
2358
|
+
|
2026
2359
|
#if (NGX_PTR_SIZE == 8)
|
2027
2360
|
|
2028
2361
|
id = sess_id->sess_id;
|
2029
2362
|
|
2030
2363
|
#else
|
2031
2364
|
|
2032
|
-
id = ngx_slab_alloc_locked(shpool,
|
2365
|
+
id = ngx_slab_alloc_locked(shpool, session_id_length);
|
2033
2366
|
|
2034
2367
|
if (id == NULL) {
|
2035
2368
|
|
@@ -2037,7 +2370,7 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
|
|
2037
2370
|
|
2038
2371
|
ngx_ssl_expire_sessions(cache, shpool, 0);
|
2039
2372
|
|
2040
|
-
id = ngx_slab_alloc_locked(shpool,
|
2373
|
+
id = ngx_slab_alloc_locked(shpool, session_id_length);
|
2041
2374
|
|
2042
2375
|
if (id == NULL) {
|
2043
2376
|
goto failed;
|
@@ -2048,16 +2381,16 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
|
|
2048
2381
|
|
2049
2382
|
ngx_memcpy(cached_sess, buf, len);
|
2050
2383
|
|
2051
|
-
ngx_memcpy(id,
|
2384
|
+
ngx_memcpy(id, session_id, session_id_length);
|
2052
2385
|
|
2053
|
-
hash = ngx_crc32_short(
|
2386
|
+
hash = ngx_crc32_short(session_id, session_id_length);
|
2054
2387
|
|
2055
2388
|
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
2056
|
-
"ssl new session: %08XD:%
|
2057
|
-
hash,
|
2389
|
+
"ssl new session: %08XD:%ud:%d",
|
2390
|
+
hash, session_id_length, len);
|
2058
2391
|
|
2059
2392
|
sess_id->node.key = hash;
|
2060
|
-
sess_id->node.data = (u_char)
|
2393
|
+
sess_id->node.data = (u_char) session_id_length;
|
2061
2394
|
sess_id->id = id;
|
2062
2395
|
sess_id->len = len;
|
2063
2396
|
sess_id->session = cached_sess;
|
@@ -2205,10 +2538,10 @@ ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
|
|
2205
2538
|
static void
|
2206
2539
|
ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
|
2207
2540
|
{
|
2208
|
-
size_t len;
|
2209
2541
|
u_char *id;
|
2210
2542
|
uint32_t hash;
|
2211
2543
|
ngx_int_t rc;
|
2544
|
+
unsigned int len;
|
2212
2545
|
ngx_shm_zone_t *shm_zone;
|
2213
2546
|
ngx_slab_pool_t *shpool;
|
2214
2547
|
ngx_rbtree_node_t *node, *sentinel;
|
@@ -2223,13 +2556,21 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
|
|
2223
2556
|
|
2224
2557
|
cache = shm_zone->data;
|
2225
2558
|
|
2559
|
+
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
|
2560
|
+
|
2561
|
+
id = (u_char *) SSL_SESSION_get_id(sess, &len);
|
2562
|
+
|
2563
|
+
#else
|
2564
|
+
|
2226
2565
|
id = sess->session_id;
|
2227
|
-
len =
|
2566
|
+
len = sess->session_id_length;
|
2567
|
+
|
2568
|
+
#endif
|
2228
2569
|
|
2229
2570
|
hash = ngx_crc32_short(id, len);
|
2230
2571
|
|
2231
2572
|
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
|
2232
|
-
"ssl remove session: %08XD:%
|
2573
|
+
"ssl remove session: %08XD:%ud", hash, len);
|
2233
2574
|
|
2234
2575
|
shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
|
2235
2576
|
|
@@ -2515,7 +2856,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
|
|
2515
2856
|
if (enc == 1) {
|
2516
2857
|
/* encrypt session ticket */
|
2517
2858
|
|
2518
|
-
ngx_log_debug3(
|
2859
|
+
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
2519
2860
|
"ssl session ticket encrypt, key: \"%*s\" (%s session)",
|
2520
2861
|
ngx_hex_dump(buf, key[0].name, 16) - buf, buf,
|
2521
2862
|
SSL_session_reused(ssl_conn) ? "reused" : "new");
|
@@ -2524,7 +2865,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
|
|
2524
2865
|
EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key[0].aes_key, iv);
|
2525
2866
|
HMAC_Init_ex(hctx, key[0].hmac_key, 16,
|
2526
2867
|
ngx_ssl_session_ticket_md(), NULL);
|
2527
|
-
|
2868
|
+
ngx_memcpy(name, key[0].name, 16);
|
2528
2869
|
|
2529
2870
|
return 0;
|
2530
2871
|
|
@@ -2537,7 +2878,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
|
|
2537
2878
|
}
|
2538
2879
|
}
|
2539
2880
|
|
2540
|
-
ngx_log_debug2(
|
2881
|
+
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
2541
2882
|
"ssl session ticket decrypt, key: \"%*s\" not found",
|
2542
2883
|
ngx_hex_dump(buf, name, 16) - buf, buf);
|
2543
2884
|
|
@@ -2545,7 +2886,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
|
|
2545
2886
|
|
2546
2887
|
found:
|
2547
2888
|
|
2548
|
-
ngx_log_debug3(
|
2889
|
+
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
2549
2890
|
"ssl session ticket decrypt, key: \"%*s\"%s",
|
2550
2891
|
ngx_hex_dump(buf, key[i].name, 16) - buf, buf,
|
2551
2892
|
(i == 0) ? " (default)" : "");
|
@@ -2583,6 +2924,175 @@ ngx_ssl_cleanup_ctx(void *data)
|
|
2583
2924
|
}
|
2584
2925
|
|
2585
2926
|
|
2927
|
+
ngx_int_t
|
2928
|
+
ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name)
|
2929
|
+
{
|
2930
|
+
X509 *cert;
|
2931
|
+
|
2932
|
+
cert = SSL_get_peer_certificate(c->ssl->connection);
|
2933
|
+
if (cert == NULL) {
|
2934
|
+
return NGX_ERROR;
|
2935
|
+
}
|
2936
|
+
|
2937
|
+
#if (OPENSSL_VERSION_NUMBER >= 0x10002002L && !defined LIBRESSL_VERSION_NUMBER)
|
2938
|
+
|
2939
|
+
/* X509_check_host() is only available in OpenSSL 1.0.2+ */
|
2940
|
+
|
2941
|
+
if (name->len == 0) {
|
2942
|
+
goto failed;
|
2943
|
+
}
|
2944
|
+
|
2945
|
+
if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) {
|
2946
|
+
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
2947
|
+
"X509_check_host(): no match");
|
2948
|
+
goto failed;
|
2949
|
+
}
|
2950
|
+
|
2951
|
+
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
2952
|
+
"X509_check_host(): match");
|
2953
|
+
|
2954
|
+
goto found;
|
2955
|
+
|
2956
|
+
#else
|
2957
|
+
{
|
2958
|
+
int n, i;
|
2959
|
+
X509_NAME *sname;
|
2960
|
+
ASN1_STRING *str;
|
2961
|
+
X509_NAME_ENTRY *entry;
|
2962
|
+
GENERAL_NAME *altname;
|
2963
|
+
STACK_OF(GENERAL_NAME) *altnames;
|
2964
|
+
|
2965
|
+
/*
|
2966
|
+
* As per RFC6125 and RFC2818, we check subjectAltName extension,
|
2967
|
+
* and if it's not present - commonName in Subject is checked.
|
2968
|
+
*/
|
2969
|
+
|
2970
|
+
altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
|
2971
|
+
|
2972
|
+
if (altnames) {
|
2973
|
+
n = sk_GENERAL_NAME_num(altnames);
|
2974
|
+
|
2975
|
+
for (i = 0; i < n; i++) {
|
2976
|
+
altname = sk_GENERAL_NAME_value(altnames, i);
|
2977
|
+
|
2978
|
+
if (altname->type != GEN_DNS) {
|
2979
|
+
continue;
|
2980
|
+
}
|
2981
|
+
|
2982
|
+
str = altname->d.dNSName;
|
2983
|
+
|
2984
|
+
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
2985
|
+
"SSL subjectAltName: \"%*s\"",
|
2986
|
+
ASN1_STRING_length(str), ASN1_STRING_data(str));
|
2987
|
+
|
2988
|
+
if (ngx_ssl_check_name(name, str) == NGX_OK) {
|
2989
|
+
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
2990
|
+
"SSL subjectAltName: match");
|
2991
|
+
GENERAL_NAMES_free(altnames);
|
2992
|
+
goto found;
|
2993
|
+
}
|
2994
|
+
}
|
2995
|
+
|
2996
|
+
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
2997
|
+
"SSL subjectAltName: no match");
|
2998
|
+
|
2999
|
+
GENERAL_NAMES_free(altnames);
|
3000
|
+
goto failed;
|
3001
|
+
}
|
3002
|
+
|
3003
|
+
/*
|
3004
|
+
* If there is no subjectAltName extension, check commonName
|
3005
|
+
* in Subject. While RFC2818 requires to only check "most specific"
|
3006
|
+
* CN, both Apache and OpenSSL check all CNs, and so do we.
|
3007
|
+
*/
|
3008
|
+
|
3009
|
+
sname = X509_get_subject_name(cert);
|
3010
|
+
|
3011
|
+
if (sname == NULL) {
|
3012
|
+
goto failed;
|
3013
|
+
}
|
3014
|
+
|
3015
|
+
i = -1;
|
3016
|
+
for ( ;; ) {
|
3017
|
+
i = X509_NAME_get_index_by_NID(sname, NID_commonName, i);
|
3018
|
+
|
3019
|
+
if (i < 0) {
|
3020
|
+
break;
|
3021
|
+
}
|
3022
|
+
|
3023
|
+
entry = X509_NAME_get_entry(sname, i);
|
3024
|
+
str = X509_NAME_ENTRY_get_data(entry);
|
3025
|
+
|
3026
|
+
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
3027
|
+
"SSL commonName: \"%*s\"",
|
3028
|
+
ASN1_STRING_length(str), ASN1_STRING_data(str));
|
3029
|
+
|
3030
|
+
if (ngx_ssl_check_name(name, str) == NGX_OK) {
|
3031
|
+
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
3032
|
+
"SSL commonName: match");
|
3033
|
+
goto found;
|
3034
|
+
}
|
3035
|
+
}
|
3036
|
+
|
3037
|
+
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
3038
|
+
"SSL commonName: no match");
|
3039
|
+
}
|
3040
|
+
#endif
|
3041
|
+
|
3042
|
+
failed:
|
3043
|
+
|
3044
|
+
X509_free(cert);
|
3045
|
+
return NGX_ERROR;
|
3046
|
+
|
3047
|
+
found:
|
3048
|
+
|
3049
|
+
X509_free(cert);
|
3050
|
+
return NGX_OK;
|
3051
|
+
}
|
3052
|
+
|
3053
|
+
|
3054
|
+
#if (OPENSSL_VERSION_NUMBER < 0x10002002L || defined LIBRESSL_VERSION_NUMBER)
|
3055
|
+
|
3056
|
+
static ngx_int_t
|
3057
|
+
ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern)
|
3058
|
+
{
|
3059
|
+
u_char *s, *p, *end;
|
3060
|
+
size_t slen, plen;
|
3061
|
+
|
3062
|
+
s = name->data;
|
3063
|
+
slen = name->len;
|
3064
|
+
|
3065
|
+
p = ASN1_STRING_data(pattern);
|
3066
|
+
plen = ASN1_STRING_length(pattern);
|
3067
|
+
|
3068
|
+
if (slen == plen && ngx_strncasecmp(s, p, plen) == 0) {
|
3069
|
+
return NGX_OK;
|
3070
|
+
}
|
3071
|
+
|
3072
|
+
if (plen > 2 && p[0] == '*' && p[1] == '.') {
|
3073
|
+
plen -= 1;
|
3074
|
+
p += 1;
|
3075
|
+
|
3076
|
+
end = s + slen;
|
3077
|
+
s = ngx_strlchr(s, end, '.');
|
3078
|
+
|
3079
|
+
if (s == NULL) {
|
3080
|
+
return NGX_ERROR;
|
3081
|
+
}
|
3082
|
+
|
3083
|
+
slen = end - s;
|
3084
|
+
|
3085
|
+
if (plen == slen && ngx_strncasecmp(s, p, plen) == 0) {
|
3086
|
+
return NGX_OK;
|
3087
|
+
}
|
3088
|
+
}
|
3089
|
+
|
3090
|
+
return NGX_ERROR;
|
3091
|
+
}
|
3092
|
+
|
3093
|
+
#endif
|
3094
|
+
|
3095
|
+
|
2586
3096
|
ngx_int_t
|
2587
3097
|
ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
2588
3098
|
{
|
@@ -2602,9 +3112,9 @@ ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
|
2602
3112
|
ngx_int_t
|
2603
3113
|
ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
2604
3114
|
{
|
2605
|
-
|
2606
|
-
|
2607
|
-
|
3115
|
+
u_char *buf;
|
3116
|
+
SSL_SESSION *sess;
|
3117
|
+
unsigned int len;
|
2608
3118
|
|
2609
3119
|
sess = SSL_get0_session(c->ssl->connection);
|
2610
3120
|
if (sess == NULL) {
|
@@ -2612,9 +3122,17 @@ ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
|
2612
3122
|
return NGX_OK;
|
2613
3123
|
}
|
2614
3124
|
|
3125
|
+
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
|
3126
|
+
|
3127
|
+
buf = (u_char *) SSL_SESSION_get_id(sess, &len);
|
3128
|
+
|
3129
|
+
#else
|
3130
|
+
|
2615
3131
|
buf = sess->session_id;
|
2616
3132
|
len = sess->session_id_length;
|
2617
3133
|
|
3134
|
+
#endif
|
3135
|
+
|
2618
3136
|
s->len = 2 * len;
|
2619
3137
|
s->data = ngx_pnalloc(pool, 2 * len);
|
2620
3138
|
if (s->data == NULL) {
|
@@ -2641,6 +3159,28 @@ ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
|
2641
3159
|
}
|
2642
3160
|
|
2643
3161
|
|
3162
|
+
ngx_int_t
|
3163
|
+
ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
3164
|
+
{
|
3165
|
+
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
3166
|
+
|
3167
|
+
const char *servername;
|
3168
|
+
|
3169
|
+
servername = SSL_get_servername(c->ssl->connection,
|
3170
|
+
TLSEXT_NAMETYPE_host_name);
|
3171
|
+
if (servername) {
|
3172
|
+
s->data = (u_char *) servername;
|
3173
|
+
s->len = ngx_strlen(servername);
|
3174
|
+
return NGX_OK;
|
3175
|
+
}
|
3176
|
+
|
3177
|
+
#endif
|
3178
|
+
|
3179
|
+
s->len = 0;
|
3180
|
+
return NGX_OK;
|
3181
|
+
}
|
3182
|
+
|
3183
|
+
|
2644
3184
|
ngx_int_t
|
2645
3185
|
ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
2646
3186
|
{
|
@@ -2858,6 +3398,40 @@ ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
|
2858
3398
|
}
|
2859
3399
|
|
2860
3400
|
|
3401
|
+
ngx_int_t
|
3402
|
+
ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
3403
|
+
{
|
3404
|
+
X509 *cert;
|
3405
|
+
unsigned int len;
|
3406
|
+
u_char buf[EVP_MAX_MD_SIZE];
|
3407
|
+
|
3408
|
+
s->len = 0;
|
3409
|
+
|
3410
|
+
cert = SSL_get_peer_certificate(c->ssl->connection);
|
3411
|
+
if (cert == NULL) {
|
3412
|
+
return NGX_OK;
|
3413
|
+
}
|
3414
|
+
|
3415
|
+
if (!X509_digest(cert, EVP_sha1(), buf, &len)) {
|
3416
|
+
X509_free(cert);
|
3417
|
+
return NGX_ERROR;
|
3418
|
+
}
|
3419
|
+
|
3420
|
+
s->len = 2 * len;
|
3421
|
+
s->data = ngx_pnalloc(pool, 2 * len);
|
3422
|
+
if (s->data == NULL) {
|
3423
|
+
X509_free(cert);
|
3424
|
+
return NGX_ERROR;
|
3425
|
+
}
|
3426
|
+
|
3427
|
+
ngx_hex_dump(s->data, buf, len);
|
3428
|
+
|
3429
|
+
X509_free(cert);
|
3430
|
+
|
3431
|
+
return NGX_OK;
|
3432
|
+
}
|
3433
|
+
|
3434
|
+
|
2861
3435
|
ngx_int_t
|
2862
3436
|
ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
2863
3437
|
{
|
@@ -2906,6 +3480,8 @@ ngx_openssl_create_conf(ngx_cycle_t *cycle)
|
|
2906
3480
|
static char *
|
2907
3481
|
ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
2908
3482
|
{
|
3483
|
+
#ifndef OPENSSL_NO_ENGINE
|
3484
|
+
|
2909
3485
|
ngx_openssl_conf_t *oscf = conf;
|
2910
3486
|
|
2911
3487
|
ENGINE *engine;
|
@@ -2940,6 +3516,12 @@ ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
|
2940
3516
|
ENGINE_free(engine);
|
2941
3517
|
|
2942
3518
|
return NGX_CONF_OK;
|
3519
|
+
|
3520
|
+
#else
|
3521
|
+
|
3522
|
+
return "is not supported";
|
3523
|
+
|
3524
|
+
#endif
|
2943
3525
|
}
|
2944
3526
|
|
2945
3527
|
|
@@ -2947,5 +3529,7 @@ static void
|
|
2947
3529
|
ngx_openssl_exit(ngx_cycle_t *cycle)
|
2948
3530
|
{
|
2949
3531
|
EVP_cleanup();
|
3532
|
+
#ifndef OPENSSL_NO_ENGINE
|
2950
3533
|
ENGINE_cleanup();
|
3534
|
+
#endif
|
2951
3535
|
}
|