nginxtra 1.6.3.9 → 1.8.0.9

data/vendor/nginx/src/mail/ngx_mail_imap_module.c

@@ -52,7 +52,9 @@ static ngx_mail_protocol_t  ngx_mail_imap_protocol = {
     ngx_mail_imap_parse_command,
     ngx_mail_imap_auth_state,
 
-    ngx_string("* BAD internal server error" CRLF)
+    ngx_string("* BAD internal server error" CRLF),
+    ngx_string("* BYE SSL certificate error" CRLF),
+    ngx_string("* BYE No required SSL certificate" CRLF)
 };
 
 

data/vendor/nginx/src/mail/ngx_mail_pop3_module.c

@@ -58,7 +58,9 @@ static ngx_mail_protocol_t  ngx_mail_pop3_protocol = {
     ngx_mail_pop3_parse_command,
     ngx_mail_pop3_auth_state,
 
-    ngx_string("-ERR internal server error" CRLF)
+    ngx_string("-ERR internal server error" CRLF),
+    ngx_string("-ERR SSL certificate error" CRLF),
+    ngx_string("-ERR No required SSL certificate" CRLF)
 };
 
 

data/vendor/nginx/src/mail/ngx_mail_smtp_module.c

@@ -45,7 +45,9 @@ static ngx_mail_protocol_t  ngx_mail_smtp_protocol = {
     ngx_mail_smtp_parse_command,
     ngx_mail_smtp_auth_state,
 
-    ngx_string("451 4.3.2 Internal server error" CRLF)
+    ngx_string("451 4.3.2 Internal server error" CRLF),
+    ngx_string("421 4.7.1 SSL certificate error" CRLF),
+    ngx_string("421 4.7.1 No required SSL certificate" CRLF)
 };
 
 

data/vendor/nginx/src/mail/ngx_mail_ssl_module.c

@@ -21,6 +21,8 @@ static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf);
 static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf);
+static char *ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
+    void *conf);
 static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf);
 
@@ -44,6 +46,15 @@ static ngx_conf_bitmask_t  ngx_mail_ssl_protocols[] = {
 };
 
 
+static ngx_conf_enum_t  ngx_mail_ssl_verify[] = {
+    { ngx_string("off"), 0 },
+    { ngx_string("on"), 1 },
+    { ngx_string("optional"), 2 },
+    { ngx_string("optional_no_ca"), 3 },
+    { ngx_null_string, 0 }
+};
+
+
 static ngx_command_t  ngx_mail_ssl_commands[] = {
 
     { ngx_string("ssl"),
@@ -74,6 +85,13 @@ static ngx_command_t  ngx_mail_ssl_commands[] = {
       offsetof(ngx_mail_ssl_conf_t, certificate_key),
       NULL },
 
+    { ngx_string("ssl_password_file"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_mail_ssl_password_file,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      0,
+      NULL },
+
     { ngx_string("ssl_dhparam"),
       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_str_slot,
@@ -137,6 +155,41 @@ static ngx_command_t  ngx_mail_ssl_commands[] = {
       offsetof(ngx_mail_ssl_conf_t, session_timeout),
       NULL },
 
+    { ngx_string("ssl_verify_client"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_enum_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_ssl_conf_t, verify),
+      &ngx_mail_ssl_verify },
+
+    { ngx_string("ssl_verify_depth"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_num_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_ssl_conf_t, verify_depth),
+      NULL },
+
+    { ngx_string("ssl_client_certificate"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_ssl_conf_t, client_certificate),
+      NULL },
+
+    { ngx_string("ssl_trusted_certificate"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_ssl_conf_t, trusted_certificate),
+      NULL },
+
+    { ngx_string("ssl_crl"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_ssl_conf_t, crl),
+      NULL },
+
       ngx_null_command
 };
 
@@ -189,13 +242,19 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
      *     scf->certificate_key = { 0, NULL };
      *     scf->dhparam = { 0, NULL };
      *     scf->ecdh_curve = { 0, NULL };
+     *     scf->client_certificate = { 0, NULL };
+     *     scf->trusted_certificate = { 0, NULL };
+     *     scf->crl = { 0, NULL };
      *     scf->ciphers = { 0, NULL };
      *     scf->shm_zone = NULL;
      */
 
     scf->enable = NGX_CONF_UNSET;
     scf->starttls = NGX_CONF_UNSET_UINT;
+    scf->passwords = NGX_CONF_UNSET_PTR;
     scf->prefer_server_ciphers = NGX_CONF_UNSET;
+    scf->verify = NGX_CONF_UNSET_UINT;
+    scf->verify_depth = NGX_CONF_UNSET_UINT;
     scf->builtin_session_cache = NGX_CONF_UNSET;
     scf->session_timeout = NGX_CONF_UNSET;
     scf->session_tickets = NGX_CONF_UNSET;
@@ -228,14 +287,25 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
                          (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
                           |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
 
+    ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
+    ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
+
     ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
     ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
 
+    ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
+
     ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
 
     ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
                          NGX_DEFAULT_ECDH_CURVE);
 
+    ngx_conf_merge_str_value(conf->client_certificate,
+                         prev->client_certificate, "");
+    ngx_conf_merge_str_value(conf->trusted_certificate,
+                         prev->trusted_certificate, "");
+    ngx_conf_merge_str_value(conf->crl, prev->crl, "");
+
     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
 
 
@@ -302,12 +372,41 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
     cln->data = &conf->ssl;
 
     if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate,
-                            &conf->certificate_key)
+                            &conf->certificate_key, conf->passwords)
         != NGX_OK)
     {
         return NGX_CONF_ERROR;
     }
 
+    if (conf->verify) {
+
+        if (conf->client_certificate.len == 0 && conf->verify != 3) {
+            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                          "no ssl_client_certificate for ssl_client_verify");
+            return NGX_CONF_ERROR;
+        }
+
+        if (ngx_ssl_client_certificate(cf, &conf->ssl,
+                                       &conf->client_certificate,
+                                       conf->verify_depth)
+            != NGX_OK)
+        {
+            return NGX_CONF_ERROR;
+        }
+
+        if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
+                                        &conf->trusted_certificate,
+                                        conf->verify_depth)
+            != NGX_OK)
+        {
+            return NGX_CONF_ERROR;
+        }
+
+        if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
+            return NGX_CONF_ERROR;
+        }
+    }
+
     if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
                                 (const char *) conf->ciphers.data)
         == 0)
@@ -322,7 +421,9 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
         SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
     }
 
+#ifndef LIBRESSL_VERSION_NUMBER
     SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
+#endif
 
     if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
         return NGX_CONF_ERROR;
@@ -421,6 +522,29 @@ ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 }
 
 
+static char *
+ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+    ngx_mail_ssl_conf_t  *scf = conf;
+
+    ngx_str_t  *value;
+
+    if (scf->passwords != NGX_CONF_UNSET_PTR) {
+        return "is duplicate";
+    }
+
+    value = cf->args->elts;
+
+    scf->passwords = ngx_ssl_read_password_file(cf, &value[1]);
+
+    if (scf->passwords == NULL) {
+        return NGX_CONF_ERROR;
+    }
+
+    return NGX_CONF_OK;
+}
+
+
 static char *
 ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 {

data/vendor/nginx/src/mail/ngx_mail_ssl_module.h

@@ -28,6 +28,9 @@ typedef struct {
     ngx_uint_t       starttls;
     ngx_uint_t       protocols;
 
+    ngx_uint_t       verify;
+    ngx_uint_t       verify_depth;
+
     ssize_t          builtin_session_cache;
 
     time_t           session_timeout;
@@ -36,9 +39,14 @@ typedef struct {
     ngx_str_t        certificate_key;
     ngx_str_t        dhparam;
     ngx_str_t        ecdh_curve;
+    ngx_str_t        client_certificate;
+    ngx_str_t        trusted_certificate;
+    ngx_str_t        crl;
 
     ngx_str_t        ciphers;
 
+    ngx_array_t     *passwords;
+
     ngx_shm_zone_t  *shm_zone;
 
     ngx_flag_t       session_tickets;

data/vendor/nginx/src/misc/ngx_cpp_test_module.cpp

@@ -1,5 +1,5 @@
 
-// stub module to test header files' C++ compatibilty
+// stub module to test header files' C++ compatibility
 
 extern "C" {
   #include <ngx_config.h>

data/vendor/nginx/src/os/unix/ngx_aio_read_chain.c

@@ -11,7 +11,7 @@
 
 
 ssize_t
-ngx_aio_read_chain(ngx_connection_t *c, ngx_chain_t *cl)
+ngx_aio_read_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit)
 {
     int           n;
     u_char       *buf, *prev;

data/vendor/nginx/src/os/unix/ngx_channel.c

@@ -216,13 +216,6 @@ ngx_add_channel_event(ngx_cycle_t *cycle, ngx_fd_t fd, ngx_int_t event,
     rev->log = cycle->log;
     wev->log = cycle->log;
 
-#if (NGX_THREADS)
-    rev->lock = &c->lock;
-    wev->lock = &c->lock;
-    rev->own_lock = &c->lock;
-    wev->own_lock = &c->lock;
-#endif
-
     rev->channel = 1;
     wev->channel = 1;
 

data/vendor/nginx/src/os/unix/ngx_darwin_config.h

@@ -9,9 +9,6 @@
 #define _NGX_DARWIN_CONFIG_H_INCLUDED_
 
 
-#define MAC_OS_X_VERSION_MIN_REQUIRED MAC_OS_X_VERSION_10_0
-
-
 #include <sys/types.h>
 #include <sys/time.h>
 #include <unistd.h>

data/vendor/nginx/src/os/unix/ngx_darwin_sendfile_chain.c

@@ -13,7 +13,7 @@
 /*
  * It seems that Darwin 9.4 (Mac OS X 1.5) sendfile() has the same
  * old bug as early FreeBSD sendfile() syscall:
- * http://www.freebsd.org/cgi/query-pr.cgi?pr=33771
+ * http://bugs.freebsd.org/33771
  *
  * Besides sendfile() has another bug: if one calls sendfile()
  * with both a header and a trailer, then sendfile() ignores a file part
@@ -27,30 +27,22 @@
  */
 
 
-#if (IOV_MAX > 64)
-#define NGX_HEADERS   64
-#define NGX_TRAILERS  64
-#else
-#define NGX_HEADERS   IOV_MAX
-#define NGX_TRAILERS  IOV_MAX
-#endif
-
-
 ngx_chain_t *
 ngx_darwin_sendfile_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
 {
     int              rc;
-    u_char          *prev;
-    off_t            size, send, prev_send, aligned, sent, fprev;
-    off_t            header_size, file_size;
-    ngx_uint_t       eintr, complete;
+    off_t            send, prev_send, sent;
+    off_t            file_size;
+    ssize_t          n;
+    ngx_uint_t       eintr;
     ngx_err_t        err;
     ngx_buf_t       *file;
-    ngx_array_t      header, trailer;
     ngx_event_t     *wev;
     ngx_chain_t     *cl;
+    ngx_iovec_t      header, trailer;
     struct sf_hdtr   hdtr;
-    struct iovec    *iov, headers[NGX_HEADERS], trailers[NGX_TRAILERS];
+    struct iovec     headers[NGX_IOVS_PREALLOCATE];
+    struct iovec     trailers[NGX_IOVS_PREALLOCATE];
 
     wev = c->write;
 
@@ -77,166 +69,68 @@ ngx_darwin_sendfile_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
 
     send = 0;
 
-    header.elts = headers;
-    header.size = sizeof(struct iovec);
-    header.nalloc = NGX_HEADERS;
-    header.pool = c->pool;
+    header.iovs = headers;
+    header.nalloc = NGX_IOVS_PREALLOCATE;
 
-    trailer.elts = trailers;
-    trailer.size = sizeof(struct iovec);
-    trailer.nalloc = NGX_TRAILERS;
-    trailer.pool = c->pool;
+    trailer.iovs = trailers;
+    trailer.nalloc = NGX_IOVS_PREALLOCATE;
 
     for ( ;; ) {
-        file = NULL;
-        file_size = 0;
-        header_size = 0;
         eintr = 0;
-        complete = 0;
         prev_send = send;
 
-        header.nelts = 0;
-        trailer.nelts = 0;
-
         /* create the header iovec and coalesce the neighbouring bufs */
 
-        prev = NULL;
-        iov = NULL;
-
-        for (cl = in; cl && send < limit; cl = cl->next) {
-
-            if (ngx_buf_special(cl->buf)) {
-                continue;
-            }
-
-            if (!ngx_buf_in_memory_only(cl->buf)) {
-                break;
-            }
-
-            size = cl->buf->last - cl->buf->pos;
-
-            if (send + size > limit) {
-                size = limit - send;
-            }
-
-            if (prev == cl->buf->pos) {
-                iov->iov_len += (size_t) size;
-
-            } else {
-                if (header.nelts >= IOV_MAX) {
-                    break;
-                }
-
-                iov = ngx_array_push(&header);
-                if (iov == NULL) {
-                    return NGX_CHAIN_ERROR;
-                }
-
-                iov->iov_base = (void *) cl->buf->pos;
-                iov->iov_len = (size_t) size;
-            }
+        cl = ngx_output_chain_to_iovec(&header, in, limit - send, c->log);
 
-            prev = cl->buf->pos + (size_t) size;
-            header_size += size;
-            send += size;
+        if (cl == NGX_CHAIN_ERROR) {
+            return NGX_CHAIN_ERROR;
         }
 
+        send += header.size;
 
         if (cl && cl->buf->in_file && send < limit) {
             file = cl->buf;
 
             /* coalesce the neighbouring file bufs */
 
-            do {
-                size = cl->buf->file_last - cl->buf->file_pos;
-
-                if (send + size > limit) {
-                    size = limit - send;
-
-                    aligned = (cl->buf->file_pos + size + ngx_pagesize - 1)
-                               & ~((off_t) ngx_pagesize - 1);
+            file_size = ngx_chain_coalesce_file(&cl, limit - send);
 
-                    if (aligned <= cl->buf->file_last) {
-                        size = aligned - cl->buf->file_pos;
-                    }
-                }
-
-                file_size += size;
-                send += size;
-                fprev = cl->buf->file_pos + size;
-                cl = cl->next;
+            send += file_size;
 
-            } while (cl
-                     && cl->buf->in_file
-                     && send < limit
-                     && file->file->fd == cl->buf->file->fd
-                     && fprev == cl->buf->file_pos);
-        }
+            if (header.count == 0) {
 
-        if (file && header.nelts == 0) {
-
-            /* create the trailer iovec and coalesce the neighbouring bufs */
-
-            prev = NULL;
-            iov = NULL;
-
-            while (cl && send < limit) {
-
-                if (ngx_buf_special(cl->buf)) {
-                    cl = cl->next;
-                    continue;
-                }
-
-                if (!ngx_buf_in_memory_only(cl->buf)) {
-                    break;
-                }
-
-                size = cl->buf->last - cl->buf->pos;
+                /*
+                 * create the trailer iovec and coalesce the neighbouring bufs
+                 */
 
-                if (send + size > limit) {
-                    size = limit - send;
+                cl = ngx_output_chain_to_iovec(&trailer, cl, limit - send,
+                                               c->log);
+                if (cl == NGX_CHAIN_ERROR) {
+                    return NGX_CHAIN_ERROR;
                 }
 
-                if (prev == cl->buf->pos) {
-                    iov->iov_len += (size_t) size;
-
-                } else {
-                    if (trailer.nelts >= IOV_MAX) {
-                        break;
-                    }
-
-                    iov = ngx_array_push(&trailer);
-                    if (iov == NULL) {
-                        return NGX_CHAIN_ERROR;
-                    }
-
-                    iov->iov_base = (void *) cl->buf->pos;
-                    iov->iov_len = (size_t) size;
-                }
+                send += trailer.size;
 
-                prev = cl->buf->pos + (size_t) size;
-                send += size;
-                cl = cl->next;
+            } else {
+                trailer.count = 0;
             }
-        }
-
-        if (file) {
 
             /*
              * sendfile() returns EINVAL if sf_hdtr's count is 0,
              * but corresponding pointer is not NULL
              */
 
-            hdtr.headers = header.nelts ? (struct iovec *) header.elts: NULL;
-            hdtr.hdr_cnt = header.nelts;
-            hdtr.trailers = trailer.nelts ? (struct iovec *) trailer.elts: NULL;
-            hdtr.trl_cnt = trailer.nelts;
+            hdtr.headers = header.count ? header.iovs : NULL;
+            hdtr.hdr_cnt = header.count;
+            hdtr.trailers = trailer.count ? trailer.iovs : NULL;
+            hdtr.trl_cnt = trailer.count;
 
-            sent = header_size + file_size;
+            sent = header.size + file_size;
 
             ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
-                           "sendfile: @%O %O h:%O",
-                           file->file_pos, sent, header_size);
+                           "sendfile: @%O %O h:%uz",
+                           file->file_pos, sent, header.size);
 
             rc = sendfile(file->file->fd, c->fd, file->file_pos,
                           &sent, &hdtr, 0);
@@ -279,86 +173,28 @@ ngx_darwin_sendfile_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
 
             ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
                            "sendfile: %d, @%O %O:%O",
-                           rc, file->file_pos, sent, file_size + header_size);
+                           rc, file->file_pos, sent, file_size + header.size);
 
         } else {
-            rc = writev(c->fd, header.elts, header.nelts);
-
-            ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
-                           "writev: %d of %uz", rc, send);
-
-            if (rc == -1) {
-                err = ngx_errno;
-
-                switch (err) {
-                case NGX_EAGAIN:
-                    break;
-
-                case NGX_EINTR:
-                    eintr = 1;
-                    break;
-
-                default:
-                    wev->error = 1;
-                    ngx_connection_error(c, err, "writev() failed");
-                    return NGX_CHAIN_ERROR;
-                }
+            n = ngx_writev(c, &header);
 
-                ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, err,
-                               "writev() not ready");
+            if (n == NGX_ERROR) {
+                return NGX_CHAIN_ERROR;
             }
 
-            sent = rc > 0 ? rc : 0;
-        }
-
-        if (send - prev_send == sent) {
-            complete = 1;
+            sent = (n == NGX_AGAIN) ? 0 : n;
         }
 
         c->sent += sent;
 
-        for ( /* void */ ; in; in = in->next) {
-
-            if (ngx_buf_special(in->buf)) {
-                continue;
-            }
-
-            if (sent == 0) {
-                break;
-            }
-
-            size = ngx_buf_size(in->buf);
-
-            if (sent >= size) {
-                sent -= size;
-
-                if (ngx_buf_in_memory(in->buf)) {
-                    in->buf->pos = in->buf->last;
-                }
-
-                if (in->buf->in_file) {
-                    in->buf->file_pos = in->buf->file_last;
-                }
-
-                continue;
-            }
-
-            if (ngx_buf_in_memory(in->buf)) {
-                in->buf->pos += (size_t) sent;
-            }
-
-            if (in->buf->in_file) {
-                in->buf->file_pos += sent;
-            }
-
-            break;
-        }
+        in = ngx_chain_update_sent(in, sent);
 
         if (eintr) {
+            send = prev_send + sent;
             continue;
         }
 
-        if (!complete) {
+        if (send - prev_send != sent) {
             wev->ready = 0;
             return in;
         }