/*
* Copyright (C) Igor Sysoev
* Copyright (C) NGINX, Inc.
*/
#include <nxt_main.h>
#include <nxt_conf.h>
#define OPENSSL_SUPPRESS_DEPRECATED
#include <openssl/ssl.h>
#include <openssl/conf.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/x509v3.h>
#include <openssl/bio.h>
#include <openssl/evp.h>
typedef struct {
SSL *session;
nxt_conn_t *conn;
int ssl_error;
uint8_t times; /* 2 bits */
uint8_t handshake; /* 1 bit */
nxt_tls_conf_t *conf;
nxt_buf_mem_t buffer;
} nxt_openssl_conn_t;
struct nxt_tls_ticket_s {
u_char name[16];
u_char hmac_key[32];
u_char aes_key[32];
uint8_t size;
};
struct nxt_tls_tickets_s {
nxt_uint_t count;
nxt_tls_ticket_t tickets[];
};
typedef enum {
NXT_OPENSSL_HANDSHAKE = 0,
NXT_OPENSSL_READ,
NXT_OPENSSL_WRITE,
NXT_OPENSSL_SHUTDOWN,
} nxt_openssl_io_t;
static nxt_int_t nxt_openssl_library_init(nxt_task_t *task);
static void nxt_openssl_library_free(nxt_task_t *task);
#if OPENSSL_VERSION_NUMBER < 0x10100004L
static nxt_int_t nxt_openssl_locks_init(void);
static void nxt_openssl_lock(int mode, int type, const char *file, int line);
static unsigned long nxt_openssl_thread_id(void);
static void nxt_openssl_locks_free(void);
#endif
static nxt_int_t nxt_openssl_server_init(nxt_task_t *task, nxt_mp_t *mp,
nxt_tls_init_t *tls_init, nxt_bool_t last);
static nxt_int_t nxt_openssl_chain_file(nxt_task_t *task, SSL_CTX *ctx,
nxt_tls_conf_t *conf, nxt_mp_t *mp, nxt_bool_t single);
#if (NXT_HAVE_OPENSSL_CONF_CMD)
static nxt_int_t nxt_ssl_conf_commands(nxt_task_t *task, SSL_CTX *ctx,
nxt_conf_value_t *value, nxt_mp_t *mp);
#endif
#if (NXT_HAVE_OPENSSL_TLSEXT)
static nxt_int_t nxt_tls_ticket_keys(nxt_task_t *task, SSL_CTX *ctx,
nxt_tls_init_t *tls_init, nxt_mp_t *mp);
static int nxt_tls_ticket_key_callback(SSL *s, unsigned char *name,
unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
#endif
static void nxt_ssl_session_cache(SSL_CTX *ctx, size_t cache_size,
time_t timeout);
static nxt_uint_t nxt_openssl_cert_get_names(nxt_task_t *task, X509 *cert,
nxt_tls_conf_t *conf, nxt_mp_t *mp);
static nxt_int_t nxt_openssl_bundle_hash_test(nxt_lvlhsh_query_t *lhq,
void *data);
static nxt_int_t nxt_openssl_bundle_hash_insert(nxt_task_t *task,
nxt_lvlhsh_t *lvlhsh, nxt_tls_bundle_hash_item_t *item, nxt_mp_t * mp);
static nxt_int_t nxt_openssl_servername(SSL *s, int *ad, void *arg);
static nxt_tls_bundle_conf_t *nxt_openssl_find_ctx(nxt_tls_conf_t *conf,
nxt_str_t *sn);
static void nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf);
static void nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf,
nxt_conn_t *c);
static void nxt_openssl_conn_handshake(nxt_task_t *task, void *obj, void *data);
static ssize_t nxt_openssl_conn_io_recvbuf(nxt_conn_t *c, nxt_buf_t *b);
static ssize_t nxt_openssl_conn_io_sendbuf(nxt_task_t *task, nxt_sendbuf_t *sb);
static ssize_t nxt_openssl_conn_io_send(nxt_task_t *task, nxt_sendbuf_t *sb,
void *buf, size_t size);
static void nxt_openssl_conn_io_shutdown(nxt_task_t *task, void *obj,
void *data);
static nxt_int_t nxt_openssl_conn_test_error(nxt_task_t *task, nxt_conn_t *c,
int ret, nxt_err_t sys_err, nxt_openssl_io_t io);
static void nxt_openssl_conn_io_shutdown_timeout(nxt_task_t *task, void *obj,
void *data);
static void nxt_cdecl nxt_openssl_conn_error(nxt_task_t *task,
nxt_err_t err, const char *fmt, ...);
static nxt_uint_t nxt_openssl_log_error_level(nxt_err_t err);
const nxt_tls_lib_t nxt_openssl_lib = {
.library_init = nxt_openssl_library_init,
.library_free = nxt_openssl_library_free,
.server_init = nxt_openssl_server_init,
.server_free = nxt_openssl_server_free,
};
static nxt_conn_io_t nxt_openssl_conn_io = {
.read = nxt_conn_io_read,
.recvbuf = nxt_openssl_conn_io_recvbuf,
.write = nxt_conn_io_write,
.sendbuf = nxt_openssl_conn_io_sendbuf,
.shutdown = nxt_openssl_conn_io_shutdown,
};
static long nxt_openssl_version;
static int nxt_openssl_connection_index;
static nxt_int_t
nxt_openssl_library_init(nxt_task_t *task)
{
int index;
if (nxt_fast_path(nxt_openssl_version != 0)) {
return NXT_OK;
}
#if OPENSSL_VERSION_NUMBER >= 0x10100003L
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
#else
{
nxt_int_t ret;
SSL_load_error_strings();
OPENSSL_config(NULL);
/*
* SSL_library_init(3):
*
* SSL_library_init() always returns "1",
* so it is safe to discard the return value.
*/
(void) SSL_library_init();
ret = nxt_openssl_locks_init();
if (nxt_slow_path(ret != NXT_OK)) {
return ret;
}
}
#endif
nxt_openssl_version = SSLeay();
nxt_log(task, NXT_LOG_INFO, "%s, %xl",
SSLeay_version(SSLEAY_VERSION), nxt_openssl_version);
#ifndef SSL_OP_NO_COMPRESSION
{
/*
* Disable gzip compression in OpenSSL prior to 1.0.0
* version, this saves about 522K per connection.
*/
int n;
STACK_OF(SSL_COMP) *ssl_comp_methods;
ssl_comp_methods = SSL_COMP_get_compression_methods();
for (n = sk_SSL_COMP_num(ssl_comp_methods); n != 0; n--) {
(void) sk_SSL_COMP_pop(ssl_comp_methods);
}
}
#endif
index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
if (index == -1) {
nxt_openssl_log_error(task, NXT_LOG_ALERT,
"SSL_get_ex_new_index() failed");
return NXT_ERROR;
}
nxt_openssl_connection_index = index;
return NXT_OK;
}
#if OPENSSL_VERSION_NUMBER >= 0x10100003L
static void
nxt_openssl_library_free(nxt_task_t *task)
{
}
#else
static nxt_thread_mutex_t *nxt_openssl_locks;
static nxt_int_t
nxt_openssl_locks_init(void)
{
int i, n;
nxt_int_t ret;
n = CRYPTO_num_locks();
nxt_openssl_locks = OPENSSL_malloc(n * sizeof(nxt_thread_mutex_t));
if (nxt_slow_path(nxt_openssl_locks == NULL)) {
return NXT_ERROR;
}
for (i = 0; i < n; i++) {
ret = nxt_thread_mutex_create(&nxt_openssl_locks[i]);
if (nxt_slow_path(ret != NXT_OK)) {
return ret;
}
}
CRYPTO_set_locking_callback(nxt_openssl_lock);
CRYPTO_set_id_callback(nxt_openssl_thread_id);
return NXT_OK;
}
static void
nxt_openssl_lock(int mode, int type, const char *file, int line)
{
nxt_thread_mutex_t *lock;
lock = &nxt_openssl_locks[type];
if ((mode & CRYPTO_LOCK) != 0) {
(void) nxt_thread_mutex_lock(lock);
} else {
(void) nxt_thread_mutex_unlock(lock);
}
}
static u_long
nxt_openssl_thread_id(void)
{
return (u_long) nxt_thread_handle();
}
static void
nxt_openssl_library_free(nxt_task_t *task)
{
nxt_openssl_locks_free();
}
static void
nxt_openssl_locks_free(void)
{
int i, n;
n = CRYPTO_num_locks();
CRYPTO_set_locking_callback(NULL);
for (i = 0; i < n; i++) {
nxt_thread_mutex_destroy(&nxt_openssl_locks[i]);
}
OPENSSL_free(nxt_openssl_locks);
}
#endif
static nxt_int_t
nxt_openssl_server_init(nxt_task_t *task, nxt_mp_t *mp,
nxt_tls_init_t *tls_init, nxt_bool_t last)
{
SSL_CTX *ctx;
const char *ca_certificate;
nxt_tls_conf_t *conf;
STACK_OF(X509_NAME) *list;
nxt_tls_bundle_conf_t *bundle;
ctx = SSL_CTX_new(SSLv23_server_method());
if (ctx == NULL) {
nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_CTX_new() failed");
return NXT_ERROR;
}
conf = tls_init->conf;
bundle = conf->bundle;
nxt_assert(bundle != NULL);
bundle->ctx = ctx;
#ifdef SSL_OP_NO_RENEGOTIATION
/* Renegration is not currently supported. */
SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
#endif
#ifdef SSL_OP_NO_COMPRESSION
/*
* Disable gzip compression in OpenSSL 1.0.0,
* this saves about 522K per connection.
*/
SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
#endif
#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
/* Request SSL_ERROR_ZERO_RETURN on EOF. */
SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
#endif
#ifdef SSL_MODE_RELEASE_BUFFERS
if (nxt_openssl_version >= 10001078) {
/*
* Allow to release read and write buffers in OpenSSL 1.0.0,
* this saves about 34K per idle connection. It is not safe
* before OpenSSL 1.0.1h (CVE-2010-5298).
*/
SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
}
#endif
if (nxt_openssl_chain_file(task, ctx, conf, mp,
last && bundle->next == NULL)
!= NXT_OK)
{
goto fail;
}
/*
key = conf->certificate_key;
if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) == 0) {
nxt_openssl_log_error(task, NXT_LOG_ALERT,
"SSL_CTX_use_PrivateKey_file(\"%s\") failed",
key);
goto fail;
}
*/
if (conf->ciphers) { /* else use system crypto policy */
if (SSL_CTX_set_cipher_list(ctx, conf->ciphers) == 0) {
nxt_openssl_log_error(task, NXT_LOG_ALERT,
"SSL_CTX_set_cipher_list(\"%s\") failed",
conf->ciphers);
goto fail;
}
}
#if (NXT_HAVE_OPENSSL_CONF_CMD)
if (tls_init->conf_cmds != NULL
&& nxt_ssl_conf_commands(task, ctx, tls_init->conf_cmds, mp) != NXT_OK)
{
goto fail;
}
#endif
nxt_ssl_session_cache(ctx, tls_init->cache_size, tls_init->timeout);
#if (NXT_HAVE_OPENSSL_TLSEXT)
if (nxt_tls_ticket_keys(task, ctx, tls_init, mp) != NXT_OK) {
goto fail;
}
#endif
SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
if (conf->ca_certificate != NULL) {
/* TODO: verify callback */
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
/* TODO: verify depth */
SSL_CTX_set_verify_depth(ctx, 1);
ca_certificate = conf->ca_certificate;
if (SSL_CTX_load_verify_locations(ctx, ca_certificate, NULL) == 0) {
nxt_openssl_log_error(task, NXT_LOG_ALERT,
"SSL_CTX_load_verify_locations(\"%s\") failed",
ca_certificate);
goto fail;
}
list = SSL_load_client_CA_file(ca_certificate);
if (list == NULL) {
nxt_openssl_log_error(task, NXT_LOG_ALERT,
"SSL_load_client_CA_file(\"%s\") failed",
ca_certificate);
goto fail;
}
/*
* SSL_load_client_CA_file() in OpenSSL prior to 0.9.7h and
* 0.9.8 versions always leaves an error in the error queue.
*/
ERR_clear_error();
SSL_CTX_set_client_CA_list(ctx, list);
}
if (last) {
conf->conn_init = nxt_openssl_conn_init;
if (bundle->next != NULL) {
SSL_CTX_set_tlsext_servername_callback(ctx, nxt_openssl_servername);
}
}
return NXT_OK;
fail:
SSL_CTX_free(ctx);
#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \
&& OPENSSL_VERSION_NUMBER < 0x1010101fL)
RAND_keep_random_devices_open(0);
#endif
return NXT_ERROR;
}
static nxt_int_t
nxt_openssl_chain_file(nxt_task_t *task, SSL_CTX *ctx, nxt_tls_conf_t *conf,
nxt_mp_t *mp, nxt_bool_t single)
{
BIO *bio;
X509 *cert, *ca;
long reason;
EVP_PKEY *key;
nxt_int_t ret;
nxt_tls_bundle_conf_t *bundle;
ret = NXT_ERROR;
cert = NULL;
bio = BIO_new(BIO_s_fd());
if (bio == NULL) {
goto end;
}
bundle = conf->bundle;
BIO_set_fd(bio, bundle->chain_file, BIO_CLOSE);
cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
if (cert == NULL) {
goto end;
}
if (SSL_CTX_use_certificate(ctx, cert) != 1) {
goto end;
}
if (!single && nxt_openssl_cert_get_names(task, cert, conf, mp) != NXT_OK) {
goto clean;
}
for ( ;; ) {
ca = PEM_read_bio_X509(bio, NULL, NULL, NULL);
if (ca == NULL) {
reason = ERR_GET_REASON(ERR_peek_last_error());
if (reason != PEM_R_NO_START_LINE) {
goto end;
}
ERR_clear_error();
break;
}
/*
* Note that ca isn't freed if it was successfully added to the chain,
* while the main certificate needs a X509_free() call, since
* its reference count is increased by SSL_CTX_use_certificate().
*/
#ifdef SSL_CTX_add0_chain_cert
if (SSL_CTX_add0_chain_cert(ctx, ca) != 1) {
#else
if (SSL_CTX_add_extra_chain_cert(ctx, ca) != 1) {
#endif
X509_free(ca);
goto end;
}
}
if (BIO_reset(bio) != 0) {
goto end;
}
key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
if (key == NULL) {
goto end;
}
if (SSL_CTX_use_PrivateKey(ctx, key) == 1) {
ret = NXT_OK;
}
EVP_PKEY_free(key);
end:
if (ret != NXT_OK) {
nxt_openssl_log_error(task, NXT_LOG_ALERT,
"nxt_openssl_chain_file() failed");
}
clean:
BIO_free(bio);
X509_free(cert);
return ret;
}
#if (NXT_HAVE_OPENSSL_CONF_CMD)
static nxt_int_t
nxt_ssl_conf_commands(nxt_task_t *task, SSL_CTX *ctx, nxt_conf_value_t *conf,
nxt_mp_t *mp)
{
int ret;
char *zcmd, *zvalue;
uint32_t index;
nxt_str_t cmd, value;
SSL_CONF_CTX *cctx;
nxt_conf_value_t *member;
cctx = SSL_CONF_CTX_new();
if (nxt_slow_path(cctx == NULL)) {
nxt_openssl_log_error(task, NXT_LOG_ALERT,
"SSL_CONF_CTX_new() failed");
return NXT_ERROR;
}
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE
| SSL_CONF_FLAG_SERVER
| SSL_CONF_FLAG_CERTIFICATE
| SSL_CONF_FLAG_SHOW_ERRORS);
SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
index = 0;
for ( ;; ) {
member = nxt_conf_next_object_member(conf, &cmd, &index);
if (nxt_slow_path(member == NULL)) {
break;
}
nxt_conf_get_string(member, &value);
zcmd = nxt_str_cstrz(mp, &cmd);
zvalue = nxt_str_cstrz(mp, &value);
if (nxt_slow_path(zcmd == NULL || zvalue == NULL)) {
goto fail;
}
ret = SSL_CONF_cmd(cctx, zcmd, zvalue);
if (ret == -2) {
nxt_openssl_log_error(task, NXT_LOG_ERR,
"unknown command \"%s\" in "
"\"conf_commands\" option", zcmd);
goto fail;
}
if (ret <= 0) {
nxt_openssl_log_error(task, NXT_LOG_ERR,
"invalid value \"%s\" for command \"%s\" "
"in \"conf_commands\" option",
zvalue, zcmd);
goto fail;
}
nxt_debug(task, "SSL_CONF_cmd(\"%s\", \"%s\")", zcmd, zvalue);
}
if (SSL_CONF_CTX_finish(cctx) != 1) {
nxt_openssl_log_error(task, NXT_LOG_ALERT,
"SSL_CONF_finish() failed");
goto fail;
}
SSL_CONF_CTX_free(cctx);
return NXT_OK;
fail:
SSL_CONF_CTX_free(cctx);
return NXT_ERROR;
}
#endif
#if (NXT_HAVE_OPENSSL_TLSEXT)
static nxt_int_t
nxt_tls_ticket_keys(nxt_task_t *task, SSL_CTX *ctx, nxt_tls_init_t *tls_init,
nxt_mp_t *mp)
{
size_t len;
uint32_t i;
nxt_str_t value;
nxt_uint_t count;
nxt_conf_value_t *member, *tickets_conf;
nxt_tls_ticket_t *ticket;
nxt_tls_tickets_t *tickets;
u_char buf[80];
tickets_conf = tls_init->tickets_conf;
if (tickets_conf == NULL) {
goto no_ticket;
}
if (nxt_conf_type(tickets_conf) == NXT_CONF_BOOLEAN) {
if (nxt_conf_get_boolean(tickets_conf) == 0) {
goto no_ticket;
}
return NXT_OK;
}
count = nxt_conf_array_elements_count_or_1(tickets_conf);
if (count == 0) {
goto no_ticket;
}
#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
tickets = nxt_mp_get(mp, sizeof(nxt_tls_tickets_t)
+ count * sizeof(nxt_tls_ticket_t));
if (nxt_slow_path(tickets == NULL)) {
return NXT_ERROR;
}
tickets->count = count;
tls_init->conf->tickets = tickets;
i = 0;
do {
ticket = &tickets->tickets[i];
i++;
member = nxt_conf_get_array_element_or_itself(tickets_conf, count - i);
if (member == NULL) {
break;
}
nxt_conf_get_string(member, &value);
len = nxt_base64_decode(buf, value.start, value.length);
nxt_memcpy(ticket->name, buf, 16);
if (len == 48) {
nxt_memcpy(ticket->aes_key, buf + 16, 16);
nxt_memcpy(ticket->hmac_key, buf + 32, 16);
ticket->size = 16;
} else {
nxt_memcpy(ticket->hmac_key, buf + 16, 32);
nxt_memcpy(ticket->aes_key, buf + 48, 32);
ticket->size = 32;
}
} while (i < count);
if (SSL_CTX_set_tlsext_ticket_key_cb(ctx, nxt_tls_ticket_key_callback)
== 0)
{
nxt_openssl_log_error(task, NXT_LOG_ALERT,
"Unit was built with Session Tickets support, however, "
"now it is linked dynamically to an OpenSSL library "
"which has no tlsext support, therefore Session Tickets "
"are not available");
return NXT_ERROR;
}
return NXT_OK;
#else
nxt_alert(task, "Setting custom session ticket keys is not supported with "
"this version of OpenSSL library");
return NXT_ERROR;
#endif
no_ticket:
SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
return NXT_OK;
}
#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
static int
nxt_tls_ticket_key_callback(SSL *s, unsigned char *name, unsigned char *iv,
EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc)
{
nxt_uint_t i;
nxt_conn_t *c;
const EVP_MD *digest;
const EVP_CIPHER *cipher;
nxt_tls_ticket_t *ticket;
nxt_openssl_conn_t *tls;
c = SSL_get_ex_data(s, nxt_openssl_connection_index);
if (nxt_slow_path(c == NULL)) {
nxt_thread_log_alert("SSL_get_ex_data() failed");
return -1;
}
tls = c->u.tls;
ticket = tls->conf->tickets->tickets;
i = 0;
if (enc == 1) {
/* encrypt session ticket */
nxt_debug(c->socket.task, "TLS session ticket encrypt");
cipher = (ticket[0].size == 16) ? EVP_aes_128_cbc() : EVP_aes_256_cbc();
if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) {
nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT,
"RAND_bytes() failed");
return -1;
}
nxt_memcpy(name, ticket[0].name, 16);
if (EVP_EncryptInit_ex(ectx, cipher, NULL, ticket[0].aes_key, iv) != 1)
{
nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT,
"EVP_EncryptInit_ex() failed");
return -1;
}
} else {
/* decrypt session ticket */
do {
if (memcmp(name, ticket[i].name, 16) == 0) {
goto found;
}
} while (++i < tls->conf->tickets->count);
nxt_debug(c->socket.task, "TLS session ticket decrypt, key not found");
return 0;
found:
nxt_debug(c->socket.task,
"TLS session ticket decrypt, key number: \"%d\"", i);
enc = (i == 0) ? 1 : 2 /* renew */;
cipher = (ticket[i].size == 16) ? EVP_aes_128_cbc() : EVP_aes_256_cbc();
if (EVP_DecryptInit_ex(ectx, cipher, NULL, ticket[i].aes_key, iv) != 1)
{
nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT,
"EVP_DecryptInit_ex() failed");
return -1;
}
}
#ifdef OPENSSL_NO_SHA256
digest = EVP_sha1();
#else
digest = EVP_sha256();
#endif
if (HMAC_Init_ex(hctx, ticket[i].hmac_key, ticket[i].size, digest, NULL)
!= 1)
{
nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT,
"HMAC_Init_ex() failed");
return -1;
}
return enc;
}
#endif /* SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB */
#endif /* NXT_HAVE_OPENSSL_TLSEXT */
static void
nxt_ssl_session_cache(SSL_CTX *ctx, size_t cache_size, time_t timeout)
{
if (cache_size == 0) {
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
return;
}
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
SSL_CTX_sess_set_cache_size(ctx, cache_size);
SSL_CTX_set_timeout(ctx, (long) timeout);
}
static nxt_uint_t
nxt_openssl_cert_get_names(nxt_task_t *task, X509 *cert, nxt_tls_conf_t *conf,
nxt_mp_t *mp)
{
int len;
nxt_str_t domain, str;
X509_NAME *x509_name;
nxt_uint_t i, n;
GENERAL_NAME *name;
nxt_tls_bundle_conf_t *bundle;
STACK_OF(GENERAL_NAME) *alt_names;
nxt_tls_bundle_hash_item_t *item;
bundle = conf->bundle;
alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
if (alt_names != NULL) {
n = sk_GENERAL_NAME_num(alt_names);
for (i = 0; i != n; i++) {
name = sk_GENERAL_NAME_value(alt_names, i);
if (name->type != GEN_DNS) {
continue;
}
str.length = ASN1_STRING_length(name->d.dNSName);
#if OPENSSL_VERSION_NUMBER > 0x10100000L
str.start = (u_char *) ASN1_STRING_get0_data(name->d.dNSName);
#else
str.start = ASN1_STRING_data(name->d.dNSName);
#endif
domain.start = nxt_mp_nget(mp, str.length);
if (nxt_slow_path(domain.start == NULL)) {
goto fail;
}
domain.length = str.length;
nxt_memcpy_lowcase(domain.start, str.start, str.length);
item = nxt_mp_get(mp, sizeof(nxt_tls_bundle_hash_item_t));
if (nxt_slow_path(item == NULL)) {
goto fail;
}
item->name = domain;
item->bundle = bundle;
if (nxt_openssl_bundle_hash_insert(task, &conf->bundle_hash,
item, mp)
== NXT_ERROR)
{
goto fail;
}
}
sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free);
} else {
x509_name = X509_get_subject_name(cert);
len = X509_NAME_get_text_by_NID(x509_name, NID_commonName,
NULL, 0);
if (len <= 0) {
nxt_log(task, NXT_LOG_WARN, "certificate \"%V\" has neither "
"Subject Alternative Name nor Common Name", &bundle->name);
return NXT_OK;
}
domain.start = nxt_mp_nget(mp, len + 1);
if (nxt_slow_path(domain.start == NULL)) {
return NXT_ERROR;
}
domain.length = X509_NAME_get_text_by_NID(x509_name, NID_commonName,
(char *) domain.start,
len + 1);
nxt_memcpy_lowcase(domain.start, domain.start, domain.length);
item = nxt_mp_get(mp, sizeof(nxt_tls_bundle_hash_item_t));
if (nxt_slow_path(item == NULL)) {
return NXT_ERROR;
}
item->name = domain;
item->bundle = bundle;
if (nxt_openssl_bundle_hash_insert(task, &conf->bundle_hash, item,
mp)
== NXT_ERROR)
{
return NXT_ERROR;
}
}
return NXT_OK;
fail:
sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free);
return NXT_ERROR;
}
static const nxt_lvlhsh_proto_t nxt_openssl_bundle_hash_proto
nxt_aligned(64) =
{
NXT_LVLHSH_DEFAULT,
nxt_openssl_bundle_hash_test,
nxt_mp_lvlhsh_alloc,
nxt_mp_lvlhsh_free,
};
static nxt_int_t
nxt_openssl_bundle_hash_test(nxt_lvlhsh_query_t *lhq, void *data)
{
nxt_tls_bundle_hash_item_t *item;
item = data;
return nxt_strstr_eq(&lhq->key, &item->name) ? NXT_OK : NXT_DECLINED;
}
static nxt_int_t
nxt_openssl_bundle_hash_insert(nxt_task_t *task, nxt_lvlhsh_t *lvlhsh,
nxt_tls_bundle_hash_item_t *item, nxt_mp_t *mp)
{
nxt_str_t str;
nxt_int_t ret;
nxt_lvlhsh_query_t lhq;
nxt_tls_bundle_hash_item_t *old;
str = item->name;
if (item->name.start[0] == '*') {
item->name.start++;
item->name.length--;
if (item->name.length == 0 || item->name.start[0] != '.') {
nxt_log(task, NXT_LOG_WARN, "ignored invalid name \"%V\" "
"in certificate \"%V\": missing \".\" "
"after wildcard symbol", &str, &item->bundle->name);
return NXT_OK;
}
}
lhq.pool = mp;
lhq.key = item->name;
lhq.value = item;
lhq.proto = &nxt_openssl_bundle_hash_proto;
lhq.replace = 0;
lhq.key_hash = nxt_murmur_hash2(item->name.start, item->name.length);
ret = nxt_lvlhsh_insert(lvlhsh, &lhq);
if (nxt_fast_path(ret == NXT_OK)) {
nxt_debug(task, "name \"%V\" for certificate \"%V\" is inserted",
&str, &item->bundle->name);
return NXT_OK;
}
if (nxt_fast_path(ret == NXT_DECLINED)) {
old = lhq.value;
if (old->bundle != item->bundle) {
nxt_log(task, NXT_LOG_WARN, "ignored duplicate name \"%V\" "
"in certificate \"%V\", identical name appears in \"%V\"",
&str, &old->bundle->name, &item->bundle->name);
old->bundle = item->bundle;
}
return NXT_OK;
}
return NXT_ERROR;
}
static nxt_int_t
nxt_openssl_servername(SSL *s, int *ad, void *arg)
{
nxt_str_t str;
nxt_uint_t i;
nxt_conn_t *c;
const char *servername;
nxt_tls_conf_t *conf;
nxt_openssl_conn_t *tls;
nxt_tls_bundle_conf_t *bundle;
c = SSL_get_ex_data(s, nxt_openssl_connection_index);
if (nxt_slow_path(c == NULL)) {
nxt_thread_log_alert("SSL_get_ex_data() failed");
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
if (servername == NULL) {
nxt_debug(c->socket.task, "SSL_get_servername(): NULL");
goto done;
}
str.length = nxt_strlen(servername);
if (str.length == 0) {
nxt_debug(c->socket.task, "SSL_get_servername(): \"\" is empty");
goto done;
}
if (servername[0] == '.') {
nxt_debug(c->socket.task, "ignored the server name \"%s\": "
"leading \".\"", servername);
goto done;
}
nxt_debug(c->socket.task, "tls with servername \"%s\"", servername);
str.start = nxt_mp_nget(c->mem_pool, str.length);
if (nxt_slow_path(str.start == NULL)) {
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
nxt_memcpy_lowcase(str.start, (const u_char *) servername, str.length);
tls = c->u.tls;
conf = tls->conf;
bundle = nxt_openssl_find_ctx(conf, &str);
if (bundle == NULL) {
for (i = 1; i < str.length; i++) {
if (str.start[i] == '.') {
str.start += i;
str.length -= i;
bundle = nxt_openssl_find_ctx(conf, &str);
break;
}
}
}
if (bundle != NULL) {
nxt_debug(c->socket.task, "new tls context found for \"%V\": \"%V\" "
"(old: \"%V\")", &str, &bundle->name,
&conf->bundle->name);
if (bundle != conf->bundle) {
if (SSL_set_SSL_CTX(s, bundle->ctx) == NULL) {
nxt_openssl_log_error(c->socket.task, NXT_LOG_ALERT,
"SSL_set_SSL_CTX() failed");
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
}
}
done:
return SSL_TLSEXT_ERR_OK;
}
static nxt_tls_bundle_conf_t *
nxt_openssl_find_ctx(nxt_tls_conf_t *conf, nxt_str_t *sn)
{
nxt_int_t ret;
nxt_lvlhsh_query_t lhq;
nxt_tls_bundle_hash_item_t *item;
lhq.key_hash = nxt_murmur_hash2(sn->start, sn->length);
lhq.key = *sn;
lhq.proto = &nxt_openssl_bundle_hash_proto;
ret = nxt_lvlhsh_find(&conf->bundle_hash, &lhq);
if (ret != NXT_OK) {
return NULL;
}
item = lhq.value;
return item->bundle;
}
static void
nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf)
{
nxt_tls_bundle_conf_t *bundle;
bundle = conf->bundle;
nxt_assert(bundle != NULL);
do {
SSL_CTX_free(bundle->ctx);
bundle = bundle->next;
} while (bundle != NULL);
if (conf->tickets) {
nxt_memzero(conf->tickets->tickets,
conf->tickets->count * sizeof(nxt_tls_ticket_t));
}
#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL \
&& OPENSSL_VERSION_NUMBER < 0x1010101fL)
RAND_keep_random_devices_open(0);
#endif
}
static void
nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf, nxt_conn_t *c)
{
int ret;
SSL *s;
SSL_CTX *ctx;
nxt_openssl_conn_t *tls;
nxt_log_debug(c->socket.log, "openssl conn init");
tls = nxt_mp_zget(c->mem_pool, sizeof(nxt_openssl_conn_t));
if (tls == NULL) {
goto fail;
}
c->u.tls = tls;
nxt_buf_mem_set_size(&tls->buffer, conf->buffer_size);
ctx = conf->bundle->ctx;
s = SSL_new(ctx);
if (s == NULL) {
nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_new() failed");
goto fail;
}
tls->session = s;
/* To pass TLS config to the nxt_openssl_servername() callback. */
tls->conf = conf;
tls->conn = c;
ret = SSL_set_fd(s, c->socket.fd);
if (ret == 0) {
nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_fd(%d) failed",
c->socket.fd);
goto fail;
}
SSL_set_accept_state(s);
if (SSL_set_ex_data(s, nxt_openssl_connection_index, c) == 0) {
nxt_openssl_log_error(task, NXT_LOG_ALERT, "SSL_set_ex_data() failed");
goto fail;
}
c->io = &nxt_openssl_conn_io;
c->sendfile = NXT_CONN_SENDFILE_OFF;
nxt_openssl_conn_handshake(task, c, c->socket.data);
return;
fail:
nxt_work_queue_add(c->read_work_queue, c->read_state->error_handler,
task, c, c->socket.data);
}
nxt_inline void
nxt_openssl_conn_free(nxt_task_t *task, nxt_conn_t *c)
{
nxt_openssl_conn_t *tls;
nxt_debug(task, "openssl conn free");
tls = c->u.tls;
if (tls != NULL) {
c->u.tls = NULL;
nxt_free(tls->buffer.start);
SSL_free(tls->session);
}
}
static void
nxt_openssl_conn_handshake(nxt_task_t *task, void *obj, void *data)
{
int ret;
nxt_int_t n;
nxt_err_t err;
nxt_conn_t *c;
nxt_work_queue_t *wq;
nxt_work_handler_t handler;
nxt_openssl_conn_t *tls;
const nxt_conn_state_t *state;
c = obj;
nxt_debug(task, "openssl conn handshake fd:%d", c->socket.fd);
if (c->socket.error != 0) {
return;
}
tls = c->u.tls;
if (tls == NULL) {
return;
}
nxt_debug(task, "openssl conn handshake: %d times", tls->times);
/* "tls->times == 1" is suitable to run SSL_do_handshake() in job. */
ret = SSL_do_handshake(tls->session);
err = (ret <= 0) ? nxt_socket_errno : 0;
nxt_thread_time_debug_update(task->thread);
nxt_debug(task, "SSL_do_handshake(%d): %d err:%d", c->socket.fd, ret, err);
state = (c->read_state != NULL) ? c->read_state : c->write_state;
if (ret > 0) {
/* ret == 1, the handshake was successfully completed. */
tls->handshake = 1;
if (c->read_state != NULL) {
if (state->io_read_handler != NULL || c->read != NULL) {
nxt_conn_read(task->thread->engine, c);
return;
}
} else {
if (c->write != NULL) {
nxt_conn_write(task->thread->engine, c);
return;
}
}
handler = state->ready_handler;
} else {
c->socket.read_handler = nxt_openssl_conn_handshake;
c->socket.write_handler = nxt_openssl_conn_handshake;
n = nxt_openssl_conn_test_error(task, c, ret, err,
NXT_OPENSSL_HANDSHAKE);
switch (n) {
case NXT_AGAIN:
if (tls->ssl_error == SSL_ERROR_WANT_READ && tls->times < 2) {
tls->times++;
}
return;
case 0:
handler = state->close_handler;
break;
default:
case NXT_ERROR:
nxt_openssl_conn_error(task, err, "SSL_do_handshake(%d) failed",
c->socket.fd);
handler = state->error_handler;
break;
}
}
wq = (c->read_state != NULL) ? c->read_work_queue : c->write_work_queue;
nxt_work_queue_add(wq, handler, task, c, data);
}
static ssize_t
nxt_openssl_conn_io_recvbuf(nxt_conn_t *c, nxt_buf_t *b)
{
int ret;
size_t size;
nxt_int_t n;
nxt_err_t err;
nxt_openssl_conn_t *tls;
tls = c->u.tls;
size = b->mem.end - b->mem.free;
ret = SSL_read(tls->session, b->mem.free, size);
err = (ret <= 0) ? nxt_socket_errno : 0;
nxt_debug(c->socket.task, "SSL_read(%d, %p, %uz): %d err:%d",
c->socket.fd, b->mem.free, size, ret, err);
if (ret > 0) {
return ret;
}
n = nxt_openssl_conn_test_error(c->socket.task, c, ret, err,
NXT_OPENSSL_READ);
if (n == NXT_ERROR) {
nxt_openssl_conn_error(c->socket.task, err,
"SSL_read(%d, %p, %uz) failed",
c->socket.fd, b->mem.free, size);
}
return n;
}
static ssize_t
nxt_openssl_conn_io_sendbuf(nxt_task_t *task, nxt_sendbuf_t *sb)
{
nxt_uint_t niov;
struct iovec iov;
niov = nxt_sendbuf_mem_coalesce0(task, sb, &iov, 1);
if (niov == 0 && sb->sync) {
return 0;
}
return nxt_openssl_conn_io_send(task, sb, iov.iov_base, iov.iov_len);
}
static ssize_t
nxt_openssl_conn_io_send(nxt_task_t *task, nxt_sendbuf_t *sb, void *buf,
size_t size)
{
int ret;
nxt_err_t err;
nxt_int_t n;
nxt_conn_t *c;
nxt_openssl_conn_t *tls;
tls = sb->tls;
ret = SSL_write(tls->session, buf, size);
err = (ret <= 0) ? nxt_socket_errno : 0;
nxt_debug(task, "SSL_write(%d, %p, %uz): %d err:%d",
sb->socket, buf, size, ret, err);
if (ret > 0) {
return ret;
}
c = tls->conn;
c->socket.write_ready = sb->ready;
n = nxt_openssl_conn_test_error(task, c, ret, err, NXT_OPENSSL_WRITE);
sb->ready = c->socket.write_ready;
if (n == NXT_ERROR) {
sb->error = c->socket.error;
nxt_openssl_conn_error(task, err, "SSL_write(%d, %p, %uz) failed",
sb->socket, buf, size);
}
return n;
}
static void
nxt_openssl_conn_io_shutdown(nxt_task_t *task, void *obj, void *data)
{
int ret, mode;
SSL *s;
nxt_err_t err;
nxt_int_t n;
nxt_bool_t quiet, once;
nxt_conn_t *c;
nxt_openssl_conn_t *tls;
nxt_work_handler_t handler;
c = obj;
nxt_debug(task, "openssl conn shutdown fd:%d", c->socket.fd);
c->read_state = NULL;
tls = c->u.tls;
if (tls == NULL) {
return;
}
s = tls->session;
if (s == NULL || !tls->handshake) {
handler = c->write_state->ready_handler;
goto done;
}
mode = SSL_get_shutdown(s);
if (c->socket.timedout || c->socket.error != 0) {
quiet = 1;
} else if (c->socket.closed && !(mode & SSL_RECEIVED_SHUTDOWN)) {
quiet = 1;
} else {
quiet = 0;
}
SSL_set_quiet_shutdown(s, quiet);
if (tls->conf->no_wait_shutdown) {
mode |= SSL_RECEIVED_SHUTDOWN;
}
once = 1;
for ( ;; ) {
SSL_set_shutdown(s, mode);
ret = SSL_shutdown(s);
err = (ret <= 0) ? nxt_socket_errno : 0;
nxt_debug(task, "SSL_shutdown(%d, %d, %b): %d err:%d",
c->socket.fd, mode, quiet, ret, err);
if (ret > 0) {
/* ret == 1, the shutdown was successfully completed. */
handler = c->write_state->ready_handler;
goto done;
}
if (ret == 0) {
/*
* If SSL_shutdown() returns 0 then it should be called
* again. The second SSL_shutdown() call should return
* -1/SSL_ERROR_WANT_READ or -1/SSL_ERROR_WANT_WRITE.
* OpenSSL prior to 0.9.8m version however never returns
* -1 at all. Fortunately, OpenSSL preserves internally
* correct status available via SSL_get_error(-1).
*/
if (once) {
once = 0;
mode = SSL_get_shutdown(s);
continue;
}
ret = -1;
}
/* ret == -1 */
break;
}
c->socket.read_handler = nxt_openssl_conn_io_shutdown;
c->socket.write_handler = nxt_openssl_conn_io_shutdown;
c->socket.error_handler = c->write_state->error_handler;
n = nxt_openssl_conn_test_error(task, c, ret, err, NXT_OPENSSL_SHUTDOWN);
switch (n) {
case 0:
handler = c->write_state->close_handler;
break;
case NXT_AGAIN:
c->write_timer.handler = nxt_openssl_conn_io_shutdown_timeout;
nxt_timer_add(task->thread->engine, &c->write_timer, 5000);
return;
default:
case NXT_ERROR:
nxt_openssl_conn_error(task, err, "SSL_shutdown(%d) failed",
c->socket.fd);
handler = c->write_state->error_handler;
}
done:
nxt_openssl_conn_free(task, c);
nxt_work_queue_add(c->write_work_queue, handler, task, c, data);
}
static nxt_int_t
nxt_openssl_conn_test_error(nxt_task_t *task, nxt_conn_t *c, int ret,
nxt_err_t sys_err, nxt_openssl_io_t io)
{
u_long lib_err;
nxt_openssl_conn_t *tls;
tls = c->u.tls;
tls->ssl_error = SSL_get_error(tls->session, ret);
nxt_debug(task, "SSL_get_error(): %d", tls->ssl_error);
switch (tls->ssl_error) {
case SSL_ERROR_WANT_READ:
c->socket.read_ready = 0;
if (io != NXT_OPENSSL_READ) {
nxt_fd_event_block_write(task->thread->engine, &c->socket);
if (nxt_fd_event_is_disabled(c->socket.read)) {
nxt_fd_event_enable_read(task->thread->engine, &c->socket);
}
}
return NXT_AGAIN;
case SSL_ERROR_WANT_WRITE:
c->socket.write_ready = 0;
if (io != NXT_OPENSSL_WRITE) {
nxt_fd_event_block_read(task->thread->engine, &c->socket);
if (nxt_fd_event_is_disabled(c->socket.write)) {
nxt_fd_event_enable_write(task->thread->engine, &c->socket);
}
}
return NXT_AGAIN;
case SSL_ERROR_SYSCALL:
lib_err = ERR_peek_error();
nxt_debug(task, "ERR_peek_error(): %l", lib_err);
if (sys_err != 0 || lib_err != 0) {
c->socket.error = sys_err;
return NXT_ERROR;
}
/* A connection was just closed. */
c->socket.closed = 1;
return 0;
case SSL_ERROR_ZERO_RETURN:
/* A "close notify" alert. */
return 0;
default: /* SSL_ERROR_SSL, etc. */
c->socket.error = 1000; /* Nonexistent errno code. */
return NXT_ERROR;
}
}
static void
nxt_openssl_conn_io_shutdown_timeout(nxt_task_t *task, void *obj, void *data)
{
nxt_conn_t *c;
nxt_timer_t *timer;
timer = obj;
nxt_debug(task, "openssl conn shutdown timeout");
c = nxt_write_timer_conn(timer);
c->socket.timedout = 1;
nxt_openssl_conn_io_shutdown(task, c, NULL);
}
static void nxt_cdecl
nxt_openssl_conn_error(nxt_task_t *task, nxt_err_t err, const char *fmt, ...)
{
u_char *p, *end;
va_list args;
nxt_uint_t level;
u_char msg[NXT_MAX_ERROR_STR];
level = nxt_openssl_log_error_level(err);
if (nxt_log_level_enough(task->log, level)) {
end = msg + sizeof(msg);
va_start(args, fmt);
p = nxt_vsprintf(msg, end, fmt, args);
va_end(args);
if (err != 0) {
p = nxt_sprintf(p, end, " %E", err);
}
p = nxt_openssl_copy_error(p, end);
nxt_log(task, level, "%*s", p - msg, msg);
} else {
ERR_clear_error();
}
}
static nxt_uint_t
nxt_openssl_log_error_level(nxt_err_t err)
{
switch (ERR_GET_REASON(ERR_peek_error())) {
case 0:
return nxt_socket_error_level(err);
case SSL_R_BAD_CHANGE_CIPHER_SPEC: /* 103 */
case SSL_R_BLOCK_CIPHER_PAD_IS_WRONG: /* 129 */
case SSL_R_DIGEST_CHECK_FAILED: /* 149 */
case SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST: /* 151 */
case SSL_R_EXCESSIVE_MESSAGE_SIZE: /* 152 */
case SSL_R_LENGTH_MISMATCH: /* 159 */
#ifdef SSL_R_NO_CIPHERS_PASSED
case SSL_R_NO_CIPHERS_PASSED: /* 182 */
#endif
case SSL_R_NO_CIPHERS_SPECIFIED: /* 183 */
case SSL_R_NO_COMPRESSION_SPECIFIED: /* 187 */
case SSL_R_NO_SHARED_CIPHER: /* 193 */
case SSL_R_RECORD_LENGTH_MISMATCH: /* 213 */
#ifdef SSL_R_PARSE_TLSEXT
case SSL_R_PARSE_TLSEXT: /* 227 */
#endif
case SSL_R_UNEXPECTED_MESSAGE: /* 244 */
case SSL_R_UNEXPECTED_RECORD: /* 245 */
case SSL_R_UNKNOWN_ALERT_TYPE: /* 246 */
case SSL_R_UNKNOWN_PROTOCOL: /* 252 */
case SSL_R_WRONG_VERSION_NUMBER: /* 267 */
case SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC: /* 281 */
#ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
case SSL_R_RENEGOTIATE_EXT_TOO_LONG: /* 335 */
case SSL_R_RENEGOTIATION_ENCODING_ERR: /* 336 */
case SSL_R_RENEGOTIATION_MISMATCH: /* 337 */
#endif
#ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
case SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED: /* 338 */
#endif
#ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING
case SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING: /* 345 */
#endif
case 1000:/* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
case SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE: /* 1010 */
case SSL_R_SSLV3_ALERT_BAD_RECORD_MAC: /* 1020 */
case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED: /* 1021 */
case SSL_R_TLSV1_ALERT_RECORD_OVERFLOW: /* 1022 */
case SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE: /* 1030 */
case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE: /* 1040 */
case SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER: /* 1047 */
break;
case SSL_R_SSLV3_ALERT_NO_CERTIFICATE: /* 1041 */
case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE: /* 1042 */
case SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE: /* 1043 */
case SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED: /* 1044 */
case SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED: /* 1045 */
case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN: /* 1046 */
case SSL_R_TLSV1_ALERT_UNKNOWN_CA: /* 1048 */
case SSL_R_TLSV1_ALERT_ACCESS_DENIED: /* 1049 */
case SSL_R_TLSV1_ALERT_DECODE_ERROR: /* 1050 */
case SSL_R_TLSV1_ALERT_DECRYPT_ERROR: /* 1051 */
case SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION: /* 1060 */
case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION: /* 1070 */
case SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY: /* 1071 */
case SSL_R_TLSV1_ALERT_INTERNAL_ERROR: /* 1080 */
case SSL_R_TLSV1_ALERT_USER_CANCELLED: /* 1090 */
case SSL_R_TLSV1_ALERT_NO_RENEGOTIATION: /* 1100 */
return NXT_LOG_ERR;
default:
return NXT_LOG_ALERT;
}
return NXT_LOG_INFO;
}
void nxt_cdecl
nxt_openssl_log_error(nxt_task_t *task, nxt_uint_t level, const char *fmt, ...)
{
u_char *p, *end;
va_list args;
u_char msg[NXT_MAX_ERROR_STR];
end = msg + sizeof(msg);
va_start(args, fmt);
p = nxt_vsprintf(msg, end, fmt, args);
va_end(args);
p = nxt_openssl_copy_error(p, end);
nxt_log(task, level, "%*s", p - msg, msg);
}
u_char *
nxt_openssl_copy_error(u_char *p, u_char *end)
{
int flags;
u_long err;
nxt_bool_t clear;
const char *data, *delimiter;
err = ERR_peek_error();
if (err == 0) {
return p;
}
/* Log the most relevant error message ... */
data = ERR_reason_error_string(err);
p = nxt_sprintf(p, end, " (%d: %s) (OpenSSL: ", ERR_GET_REASON(err), data);
/*
* ... followed by all queued cumbersome OpenSSL error messages
* and drain the error queue.
*/
delimiter = "";
clear = 0;
for ( ;; ) {
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
err = ERR_get_error_all(NULL, NULL, NULL, &data, &flags);
#else
err = ERR_get_error_line_data(NULL, NULL, &data, &flags);
#endif
if (err == 0) {
break;
}
p = nxt_sprintf(p, end, "%s", delimiter);
ERR_error_string_n(err, (char *) p, end - p);
while (p < end && *p != '\0') {
p++;
}
if ((flags & ERR_TXT_STRING) != 0) {
p = nxt_sprintf(p, end, ":%s", data);
}
clear |= ((flags & ERR_TXT_MALLOCED) != 0);
delimiter = "; ";
}
/* Deallocate additional data. */
if (clear) {
ERR_clear_error();
}
if (p < end) {
*p++ = ')';
}
return p;
}