nginxtra 1.6.3.9 → 1.8.0.9

data/vendor/nginx/src/http/ngx_http_write_filter_module.c

@@ -48,7 +48,7 @@ ngx_int_t
 ngx_http_write_filter(ngx_http_request_t *r, ngx_chain_t *in)
 {
     off_t                      size, sent, nsent, limit;
-    ngx_uint_t                 last, flush;
+    ngx_uint_t                 last, flush, sync;
     ngx_msec_t                 delay;
     ngx_chain_t               *cl, *ln, **ll, *chain;
     ngx_connection_t          *c;
@@ -62,6 +62,7 @@ ngx_http_write_filter(ngx_http_request_t *r, ngx_chain_t *in)
 
     size = 0;
     flush = 0;
+    sync = 0;
     last = 0;
     ll = &r->out;
 
@@ -72,7 +73,7 @@ ngx_http_write_filter(ngx_http_request_t *r, ngx_chain_t *in)
 
         ngx_log_debug7(NGX_LOG_DEBUG_EVENT, c->log, 0,
                        "write old buf t:%d f:%d %p, pos %p, size: %z "
-                       "file: %O, size: %z",
+                       "file: %O, size: %O",
                        cl->buf->temporary, cl->buf->in_file,
                        cl->buf->start, cl->buf->pos,
                        cl->buf->last - cl->buf->pos,
@@ -105,6 +106,10 @@ ngx_http_write_filter(ngx_http_request_t *r, ngx_chain_t *in)
             flush = 1;
         }
 
+        if (cl->buf->sync) {
+            sync = 1;
+        }
+
         if (cl->buf->last_buf) {
             last = 1;
         }
@@ -124,7 +129,7 @@ ngx_http_write_filter(ngx_http_request_t *r, ngx_chain_t *in)
 
         ngx_log_debug7(NGX_LOG_DEBUG_EVENT, c->log, 0,
                        "write new buf t:%d f:%d %p, pos %p, size: %z "
-                       "file: %O, size: %z",
+                       "file: %O, size: %O",
                        cl->buf->temporary, cl->buf->in_file,
                        cl->buf->start, cl->buf->pos,
                        cl->buf->last - cl->buf->pos,
@@ -157,6 +162,10 @@ ngx_http_write_filter(ngx_http_request_t *r, ngx_chain_t *in)
             flush = 1;
         }
 
+        if (cl->buf->sync) {
+            sync = 1;
+        }
+
         if (cl->buf->last_buf) {
             last = 1;
         }
@@ -188,7 +197,7 @@ ngx_http_write_filter(ngx_http_request_t *r, ngx_chain_t *in)
         && !(c->buffered & NGX_LOWLEVEL_BUFFERED)
         && !(last && c->need_last_buf))
     {
-        if (last || flush) {
+        if (last || flush || sync) {
             for (cl = r->out; cl; /* void */) {
                 ln = cl;
                 cl = cl->next;
@@ -219,8 +228,8 @@ ngx_http_write_filter(ngx_http_request_t *r, ngx_chain_t *in)
 
         if (limit <= 0) {
             c->write->delayed = 1;
-            ngx_add_timer(c->write,
-                          (ngx_msec_t) (- limit * 1000 / r->limit_rate + 1));
+            delay = (ngx_msec_t) (- limit * 1000 / r->limit_rate + 1);
+            ngx_add_timer(c->write, delay);
 
             c->buffered |= NGX_HTTP_WRITE_BUFFERED;
 

data/vendor/nginx/src/mail/ngx_mail.c

@@ -98,7 +98,7 @@ ngx_mail_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 
     *(ngx_mail_conf_ctx_t **) conf = ctx;
 
-    /* count the number of the http modules and set up their indices */
+    /* count the number of the mail modules and set up their indices */
 
     ngx_mail_max_module = 0;
     for (m = 0; ngx_modules[m]; m++) {
@@ -131,8 +131,7 @@ ngx_mail_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 
 
     /*
-     * create the main_conf's, the null srv_conf's, and the null loc_conf's
-     * of the all mail modules
+     * create the main_conf's and the null srv_conf's of the all mail modules
      */
 
     for (m = 0; ngx_modules[m]; m++) {

data/vendor/nginx/src/mail/ngx_mail.h

@@ -336,6 +336,8 @@ struct ngx_mail_protocol_s {
     ngx_mail_auth_state_pt      auth_state;
 
     ngx_str_t                   internal_server_error;
+    ngx_str_t                   cert_error;
+    ngx_str_t                   no_cert;
 };
 
 

data/vendor/nginx/src/mail/ngx_mail_auth_http_module.c

@@ -16,6 +16,7 @@ typedef struct {
     ngx_addr_t                     *peer;
 
     ngx_msec_t                      timeout;
+    ngx_flag_t                      pass_client_cert;
 
     ngx_str_t                       host_header;
     ngx_str_t                       uri;
@@ -106,6 +107,13 @@ static ngx_command_t  ngx_mail_auth_http_commands[] = {
       0,
       NULL },
 
+    { ngx_string("auth_http_pass_client_cert"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_auth_http_conf_t, pass_client_cert),
+      NULL },
+
       ngx_null_command
 };
 
@@ -1143,6 +1151,12 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
     size_t                     len;
     ngx_buf_t                 *b;
     ngx_str_t                  login, passwd;
+#if (NGX_MAIL_SSL)
+    ngx_str_t                  verify, subject, issuer, serial, fingerprint,
+                               raw_cert, cert;
+    ngx_connection_t          *c;
+    ngx_mail_ssl_conf_t       *sslcf;
+#endif
     ngx_mail_core_srv_conf_t  *cscf;
 
     if (ngx_mail_auth_http_escape(pool, &s->login, &login) != NGX_OK) {
@@ -1153,6 +1167,62 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
         return NULL;
     }
 
+#if (NGX_MAIL_SSL)
+
+    c = s->connection;
+    sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);
+
+    if (c->ssl && sslcf->verify) {
+
+        /* certificate details */
+
+        if (ngx_ssl_get_client_verify(c, pool, &verify) != NGX_OK) {
+            return NULL;
+        }
+
+        if (ngx_ssl_get_subject_dn(c, pool, &subject) != NGX_OK) {
+            return NULL;
+        }
+
+        if (ngx_ssl_get_issuer_dn(c, pool, &issuer) != NGX_OK) {
+            return NULL;
+        }
+
+        if (ngx_ssl_get_serial_number(c, pool, &serial) != NGX_OK) {
+            return NULL;
+        }
+
+        if (ngx_ssl_get_fingerprint(c, pool, &fingerprint) != NGX_OK) {
+            return NULL;
+        }
+
+        if (ahcf->pass_client_cert) {
+
+            /* certificate itself, if configured */
+
+            if (ngx_ssl_get_raw_certificate(c, pool, &raw_cert) != NGX_OK) {
+                return NULL;
+            }
+
+            if (ngx_mail_auth_http_escape(pool, &raw_cert, &cert) != NGX_OK) {
+                return NULL;
+            }
+
+        } else {
+            ngx_str_null(&cert);
+        }
+
+    } else {
+        ngx_str_null(&verify);
+        ngx_str_null(&subject);
+        ngx_str_null(&issuer);
+        ngx_str_null(&serial);
+        ngx_str_null(&fingerprint);
+        ngx_str_null(&cert);
+    }
+
+#endif
+
     cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module);
 
     len = sizeof("GET ") - 1 + ahcf->uri.len + sizeof(" HTTP/1.0" CRLF) - 1
@@ -1170,9 +1240,19 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
           + sizeof("Client-IP: ") - 1 + s->connection->addr_text.len
                 + sizeof(CRLF) - 1
           + sizeof("Client-Host: ") - 1 + s->host.len + sizeof(CRLF) - 1
-          + sizeof("Auth-SMTP-Helo: ") - 1 + s->smtp_helo.len
-          + sizeof("Auth-SMTP-From: ") - 1 + s->smtp_from.len
-          + sizeof("Auth-SMTP-To: ") - 1 + s->smtp_to.len
+          + sizeof("Auth-SMTP-Helo: ") - 1 + s->smtp_helo.len + sizeof(CRLF) - 1
+          + sizeof("Auth-SMTP-From: ") - 1 + s->smtp_from.len + sizeof(CRLF) - 1
+          + sizeof("Auth-SMTP-To: ") - 1 + s->smtp_to.len + sizeof(CRLF) - 1
+#if (NGX_MAIL_SSL)
+          + sizeof("Auth-SSL: on" CRLF) - 1
+          + sizeof("Auth-SSL-Verify: ") - 1 + verify.len + sizeof(CRLF) - 1
+          + sizeof("Auth-SSL-Subject: ") - 1 + subject.len + sizeof(CRLF) - 1
+          + sizeof("Auth-SSL-Issuer: ") - 1 + issuer.len + sizeof(CRLF) - 1
+          + sizeof("Auth-SSL-Serial: ") - 1 + serial.len + sizeof(CRLF) - 1
+          + sizeof("Auth-SSL-Fingerprint: ") - 1 + fingerprint.len
+              + sizeof(CRLF) - 1
+          + sizeof("Auth-SSL-Cert: ") - 1 + cert.len + sizeof(CRLF) - 1
+#endif
           + ahcf->header.len
           + sizeof(CRLF) - 1;
 
@@ -1255,6 +1335,57 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
 
     }
 
+#if (NGX_MAIL_SSL)
+
+    if (c->ssl) {
+        b->last = ngx_cpymem(b->last, "Auth-SSL: on" CRLF,
+                             sizeof("Auth-SSL: on" CRLF) - 1);
+
+        if (verify.len) {
+            b->last = ngx_cpymem(b->last, "Auth-SSL-Verify: ",
+                                 sizeof("Auth-SSL-Verify: ") - 1);
+            b->last = ngx_copy(b->last, verify.data, verify.len);
+            *b->last++ = CR; *b->last++ = LF;
+        }
+
+        if (subject.len) {
+            b->last = ngx_cpymem(b->last, "Auth-SSL-Subject: ",
+                                 sizeof("Auth-SSL-Subject: ") - 1);
+            b->last = ngx_copy(b->last, subject.data, subject.len);
+            *b->last++ = CR; *b->last++ = LF;
+        }
+
+        if (issuer.len) {
+            b->last = ngx_cpymem(b->last, "Auth-SSL-Issuer: ",
+                                 sizeof("Auth-SSL-Issuer: ") - 1);
+            b->last = ngx_copy(b->last, issuer.data, issuer.len);
+            *b->last++ = CR; *b->last++ = LF;
+        }
+
+        if (serial.len) {
+            b->last = ngx_cpymem(b->last, "Auth-SSL-Serial: ",
+                                 sizeof("Auth-SSL-Serial: ") - 1);
+            b->last = ngx_copy(b->last, serial.data, serial.len);
+            *b->last++ = CR; *b->last++ = LF;
+        }
+
+        if (fingerprint.len) {
+            b->last = ngx_cpymem(b->last, "Auth-SSL-Fingerprint: ",
+                                 sizeof("Auth-SSL-Fingerprint: ") - 1);
+            b->last = ngx_copy(b->last, fingerprint.data, fingerprint.len);
+            *b->last++ = CR; *b->last++ = LF;
+        }
+
+        if (cert.len) {
+            b->last = ngx_cpymem(b->last, "Auth-SSL-Cert: ",
+                                 sizeof("Auth-SSL-Cert: ") - 1);
+            b->last = ngx_copy(b->last, cert.data, cert.len);
+            *b->last++ = CR; *b->last++ = LF;
+        }
+    }
+
+#endif
+
     if (ahcf->header.len) {
         b->last = ngx_copy(b->last, ahcf->header.data, ahcf->header.len);
     }
@@ -1263,14 +1394,9 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
     *b->last++ = CR; *b->last++ = LF;
 
 #if (NGX_DEBUG_MAIL_PASSWD)
-    {
-    ngx_str_t  l;
-
-    l.len = b->last - b->pos;
-    l.data = b->pos;
-    ngx_log_debug1(NGX_LOG_DEBUG_MAIL, s->connection->log, 0,
-                   "mail auth http header:\n\"%V\"", &l);
-    }
+    ngx_log_debug2(NGX_LOG_DEBUG_MAIL, s->connection->log, 0,
+                   "mail auth http header:%N\"%*s\"",
+                   (size_t) (b->last - b->pos), b->pos);
 #endif
 
     return b;
@@ -1316,6 +1442,7 @@ ngx_mail_auth_http_create_conf(ngx_conf_t *cf)
     }
 
     ahcf->timeout = NGX_CONF_UNSET_MSEC;
+    ahcf->pass_client_cert = NGX_CONF_UNSET;
 
     ahcf->file = cf->conf_file->file.name.data;
     ahcf->line = cf->conf_file->line;
@@ -1351,6 +1478,8 @@ ngx_mail_auth_http_merge_conf(ngx_conf_t *cf, void *parent, void *child)
 
     ngx_conf_merge_msec_value(conf->timeout, prev->timeout, 60000);
 
+    ngx_conf_merge_value(conf->pass_client_cert, prev->pass_client_cert, 0);
+
     if (conf->headers == NULL) {
         conf->headers = prev->headers;
         conf->header = prev->header;

data/vendor/nginx/src/mail/ngx_mail_core_module.c

@@ -41,7 +41,7 @@ static ngx_command_t  ngx_mail_core_commands[] = {
       NULL },
 
     { ngx_string("listen"),
-      NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12,
+      NGX_MAIL_SRV_CONF|NGX_CONF_1MORE,
       ngx_mail_core_listen,
       NGX_MAIL_SRV_CONF_OFFSET,
       0,
@@ -336,7 +336,7 @@ ngx_mail_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
             off = offsetof(struct sockaddr_in6, sin6_addr);
             len = 16;
             sin6 = (struct sockaddr_in6 *) sa;
-            port = sin6->sin6_port;
+            port = ntohs(sin6->sin6_port);
             break;
 #endif
 
@@ -352,7 +352,7 @@ ngx_mail_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
             off = offsetof(struct sockaddr_in, sin_addr);
             len = 4;
             sin = (struct sockaddr_in *) sa;
-            port = sin->sin_port;
+            port = ntohs(sin->sin_port);
             break;
         }
 

data/vendor/nginx/src/mail/ngx_mail_handler.c

@@ -16,12 +16,15 @@ static void ngx_mail_init_session(ngx_connection_t *c);
 #if (NGX_MAIL_SSL)
 static void ngx_mail_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c);
 static void ngx_mail_ssl_handshake_handler(ngx_connection_t *c);
+static ngx_int_t ngx_mail_verify_cert(ngx_mail_session_t *s,
+    ngx_connection_t *c);
 #endif
 
 
 void
 ngx_mail_init_connection(ngx_connection_t *c)
 {
+    size_t                 len;
     ngx_uint_t             i;
     ngx_mail_port_t       *port;
     struct sockaddr       *sa;
@@ -30,6 +33,7 @@ ngx_mail_init_connection(ngx_connection_t *c)
     ngx_mail_in_addr_t    *addr;
     ngx_mail_session_t    *s;
     ngx_mail_addr_conf_t  *addr_conf;
+    u_char                 text[NGX_SOCKADDR_STRLEN];
 #if (NGX_HAVE_INET6)
     struct sockaddr_in6   *sin6;
     ngx_mail_in6_addr_t   *addr6;
@@ -119,6 +123,8 @@ ngx_mail_init_connection(ngx_connection_t *c)
         return;
     }
 
+    s->signature = NGX_MAIL_MODULE;
+
     s->main_conf = addr_conf->ctx->main_conf;
     s->srv_conf = addr_conf->ctx->srv_conf;
 
@@ -127,8 +133,10 @@ ngx_mail_init_connection(ngx_connection_t *c)
     c->data = s;
     s->connection = c;
 
-    ngx_log_error(NGX_LOG_INFO, c->log, 0, "*%uA client %V connected to %V",
-                  c->number, &c->addr_text, s->addr_text);
+    len = ngx_sock_ntop(c->sockaddr, c->socklen, text, NGX_SOCKADDR_STRLEN, 1);
+
+    ngx_log_error(NGX_LOG_INFO, c->log, 0, "*%uA client %*s connected to %V",
+                  c->number, len, text, s->addr_text);
 
     ctx = ngx_palloc(c->pool, sizeof(ngx_mail_log_ctx_t));
     if (ctx == NULL) {
@@ -241,6 +249,10 @@ ngx_mail_ssl_handshake_handler(ngx_connection_t *c)
 
         s = c->data;
 
+        if (ngx_mail_verify_cert(s, c) != NGX_OK) {
+            return;
+        }
+
         if (s->starttls) {
             cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module);
 
@@ -261,6 +273,71 @@ ngx_mail_ssl_handshake_handler(ngx_connection_t *c)
     ngx_mail_close_connection(c);
 }
 
+
+static ngx_int_t
+ngx_mail_verify_cert(ngx_mail_session_t *s, ngx_connection_t *c)
+{
+    long                       rc;
+    X509                      *cert;
+    ngx_mail_ssl_conf_t       *sslcf;
+    ngx_mail_core_srv_conf_t  *cscf;
+
+    sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);
+
+    if (!sslcf->verify) {
+        return NGX_OK;
+    }
+
+    rc = SSL_get_verify_result(c->ssl->connection);
+
+    if (rc != X509_V_OK
+        && (sslcf->verify != 3 || !ngx_ssl_verify_error_optional(rc)))
+    {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "client SSL certificate verify error: (%l:%s)",
+                      rc, X509_verify_cert_error_string(rc));
+
+        ngx_ssl_remove_cached_session(sslcf->ssl.ctx,
+                                      (SSL_get0_session(c->ssl->connection)));
+
+        cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module);
+
+        s->out = cscf->protocol->cert_error;
+        s->quit = 1;
+
+        c->write->handler = ngx_mail_send;
+
+        ngx_mail_send(s->connection->write);
+        return NGX_ERROR;
+    }
+
+    if (sslcf->verify == 1) {
+        cert = SSL_get_peer_certificate(c->ssl->connection);
+
+        if (cert == NULL) {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "client sent no required SSL certificate");
+
+            ngx_ssl_remove_cached_session(sslcf->ssl.ctx,
+                                       (SSL_get0_session(c->ssl->connection)));
+
+            cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module);
+
+            s->out = cscf->protocol->no_cert;
+            s->quit = 1;
+
+            c->write->handler = ngx_mail_send;
+
+            ngx_mail_send(s->connection->write);
+            return NGX_ERROR;
+        }
+
+        X509_free(cert);
+    }
+
+    return NGX_OK;
+}
+
 #endif