static int
ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn,
const unsigned char **out, unsigned int *outlen, void *arg)
{
#if (NGX_HTTP_V2 || NGX_DEBUG)
ngx_connection_t *c;
c = ngx_ssl_get_connection(ssl_conn);
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "SSL NPN advertised");
#endif
#if (NGX_HTTP_V2)
{
ngx_http_connection_t *hc;
hc = c->data;
if (hc->addr_conf->http2) {
*out =
(unsigned char *) NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE;
*outlen = sizeof(NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1;
return SSL_TLSEXT_ERR_OK;
}
}
#endif
*out = (unsigned char *) NGX_HTTP_NPN_ADVERTISE;
*outlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1;
return SSL_TLSEXT_ERR_OK;
}
static int
ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out,
unsigned char *outlen, const unsigned char *in, unsigned int inlen,
void *arg)
{
unsigned int srvlen;
unsigned char *srv;
#if (NGX_DEBUG)
unsigned int i;
#endif
#if (NGX_HTTP_V2)
ngx_http_connection_t *hc;
#endif
#if (NGX_HTTP_V2 || NGX_DEBUG)
ngx_connection_t *c;
c = ngx_ssl_get_connection(ssl_conn);
#endif
#if (NGX_DEBUG)
for (i = 0; i < inlen; i += in[i] + 1) {
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
"SSL ALPN supported by client: %*s",
(size_t) in[i], &in[i + 1]);
}
#endif
#if (NGX_HTTP_V2)
hc = c->data;
if (hc->addr_conf->http2) {
srv =
(unsigned char *) NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE;
srvlen = sizeof(NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1;
} else
#endif
{
srv = (unsigned char *) NGX_HTTP_NPN_ADVERTISE;
srvlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1;
}
if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen,
in, inlen)
!= OPENSSL_NPN_NEGOTIATED)
{
return SSL_TLSEXT_ERR_NOACK;
}
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
"SSL ALPN selected: %*s", (size_t) *outlen, *out);
return SSL_TLSEXT_ERR_OK;
}
static int
ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data)
{
int rc;
X509 *cert;
u_char *p;
ngx_connection_t *c;
ngx_ssl_stapling_t *staple;
c = ngx_ssl_get_connection(ssl_conn);
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
"SSL certificate status callback");
rc = SSL_TLSEXT_ERR_NOACK;
cert = SSL_get_certificate(ssl_conn);
staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
if (staple == NULL) {
return rc;
}
if (staple->staple.len
&& staple->valid >= ngx_time())
{
/* we have to copy ocsp response as OpenSSL will free it by itself */
p = OPENSSL_malloc(staple->staple.len);
if (p == NULL) {
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed");
return SSL_TLSEXT_ERR_NOACK;
}
ngx_memcpy(p, staple->staple.data, staple->staple.len);
SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->staple.len);
rc = SSL_TLSEXT_ERR_OK;
}
ngx_ssl_stapling_update(staple);
return rc;
}
void nchan_finalize_fake_request(ngx_http_request_t *r, ngx_int_t rc) {
ngx_connection_t *c;
#if (NGX_HTTP_SSL)
ngx_ssl_conn_t *ssl_conn;
#endif
c = r->connection;
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
"http finalize fake request: %d, a:%d, c:%d",
rc, r == c->data, r->main->count);
if (rc == NGX_DONE) {
nchan_close_fake_request(r);
return;
}
if (rc == NGX_ERROR || rc >= NGX_HTTP_SPECIAL_RESPONSE) {
#if (NGX_HTTP_SSL)
if (r->connection->ssl) {
ssl_conn = r->connection->ssl->connection;
if (ssl_conn) {
c = ngx_ssl_get_connection(ssl_conn);
}
}
#endif
nchan_close_fake_request(r);
return;
}
if (c->read->timer_set) {
ngx_del_timer(c->read);
}
if (c->write->timer_set) {
c->write->delayed = 0;
ngx_del_timer(c->write);
}
nchan_close_fake_request(r);
}
static int ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
{
hlog(LOG_DEBUG, "ssl_verify_callback, ok: %d", ok);
#if (NGX_DEBUG)
char *subject, *issuer;
int err, depth;
X509 *cert;
X509_NAME *sname, *iname;
ngx_connection_t *c;
ngx_ssl_conn_t *ssl_conn;
ssl_conn = X509_STORE_CTX_get_ex_data(x509_store,
SSL_get_ex_data_X509_STORE_CTX_idx());
c = ngx_ssl_get_connection(ssl_conn);
cert = X509_STORE_CTX_get_current_cert(x509_store);
err = X509_STORE_CTX_get_error(x509_store);
depth = X509_STORE_CTX_get_error_depth(x509_store);
sname = X509_get_subject_name(cert);
subject = sname ? X509_NAME_oneline(sname, NULL, 0) : "(none)";
iname = X509_get_issuer_name(cert);
issuer = iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)";
ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
"verify:%d, error:%d, depth:%d, "
"subject:\"%s\",issuer: \"%s\"",
ok, err, depth, subject, issuer);
if (sname) {
OPENSSL_free(subject);
}
if (iname) {
OPENSSL_free(issuer);
}
#endif
return 1;
}
static int
ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn,
const unsigned char **out, unsigned int *outlen, void *arg)
{
#if (NGX_HTTP_SPDY || NGX_DEBUG)
ngx_connection_t *c;
c = ngx_ssl_get_connection(ssl_conn);
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "SSL NPN advertised");
#endif
#if (NGX_HTTP_SPDY)
{
ngx_http_connection_t *hc;
ngx_http_spdy_srv_conf_t *sscf;
hc = c->data;
sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_spdy_module);
if (hc->addr_conf->spdy) {
if (sscf->version == NGX_SPDY_VERSION_V3) {
*out = (unsigned char *) NGX_SPDY_V3_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE;
*outlen = sizeof(NGX_SPDY_V3_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1;
} else {
*out = (unsigned char *) NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE;
*outlen = sizeof(NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1;
}
return SSL_TLSEXT_ERR_OK;
}
}
#endif
*out = (unsigned char *) NGX_HTTP_NPN_ADVERTISE;
*outlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1;
return SSL_TLSEXT_ERR_OK;
}
/* callback for new session caching, to be set with SSL_CTX_sess_set_new_cb */
int
ngx_http_lua_ssl_sess_store_handler(ngx_ssl_conn_t *ssl_conn,
ngx_ssl_session_t *sess)
{
lua_State *L;
ngx_int_t rc;
#if OPENSSL_VERSION_NUMBER >= 0x1010005fL
unsigned int len;
#endif
ngx_connection_t *c, *fc = NULL;
ngx_http_request_t *r = NULL;
ngx_http_connection_t *hc;
ngx_http_lua_ssl_ctx_t *cctx;
ngx_http_lua_srv_conf_t *lscf;
ngx_http_core_loc_conf_t *clcf;
c = ngx_ssl_get_connection(ssl_conn);
dd("c = %p", c);
cctx = ngx_http_lua_ssl_get_ctx(c->ssl->connection);
dd("ssl sess_store handler, sess_store-ctx=%p", cctx);
hc = c->data;
fc = ngx_http_lua_create_fake_connection(NULL);
if (fc == NULL) {
goto failed;
}
fc->log->handler = ngx_http_lua_log_ssl_sess_store_error;
fc->log->data = fc;
fc->addr_text = c->addr_text;
fc->listening = c->listening;
r = ngx_http_lua_create_fake_request(fc);
if (r == NULL) {
goto failed;
}
r->main_conf = hc->conf_ctx->main_conf;
r->srv_conf = hc->conf_ctx->srv_conf;
r->loc_conf = hc->conf_ctx->loc_conf;
fc->log->file = c->log->file;
fc->log->log_level = c->log->log_level;
fc->ssl = c->ssl;
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
#if defined(nginx_version) && nginx_version >= 1003014
# if nginx_version >= 1009000
ngx_set_connection_log(fc, clcf->error_log);
# else
ngx_http_set_connection_log(fc, clcf->error_log);
# endif
#else
fc->log->file = clcf->error_log->file;
if (!(fc->log->log_level & NGX_LOG_DEBUG_CONNECTION)) {
fc->log->log_level = clcf->error_log->log_level;
}
#endif
if (cctx == NULL) {
cctx = ngx_pcalloc(c->pool, sizeof(ngx_http_lua_ssl_ctx_t));
if (cctx == NULL) {
goto failed; /* error */
}
}
cctx->connection = c;
cctx->request = r;
cctx->session = sess;
#if OPENSSL_VERSION_NUMBER < 0x1010005fL
cctx->session_id.data = sess->session_id;
cctx->session_id.len = sess->session_id_length;
#else
cctx->session_id.data = (u_char *)SSL_SESSION_get_id(sess, &len);
cctx->session_id.len = len;
#endif
cctx->done = 0;
dd("setting cctx");
if (SSL_set_ex_data(c->ssl->connection, ngx_http_lua_ssl_ctx_index, cctx)
== 0)
{
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed");
goto failed;
}
lscf = ngx_http_get_module_srv_conf(r, ngx_http_lua_module);
/* TODO honor lua_code_cache off */
L = ngx_http_lua_get_lua_vm(r, NULL);
c->log->action = "storing SSL session by lua";
rc = lscf->srv.ssl_sess_store_handler(r, lscf, L);
if (rc >= NGX_OK || rc == NGX_ERROR) {
cctx->done = 1;
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
"ssl_session_store_by_lua*: handler return value: %i, "
"sess new cb exit code: %d", rc, cctx->exit_code);
c->log->action = "SSL handshaking";
/* Return value is a flag indicating whether the passed-in session
* has been freed by this callback; always return 0 so OpenSSL will
* free the session. Nginx's own session caching logic has the same
* practice. */
return 0;
}
/* impossible to reach here */
ngx_http_lua_assert(0);
failed:
if (r && r->pool) {
ngx_http_lua_free_fake_request(r);
}
if (fc) {
ngx_http_lua_close_fake_connection(fc);
}
return 0;
}
/* cached session fetching callback to be set with SSL_CTX_sess_set_get_cb */
ngx_ssl_session_t *
ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn, u_char *id,
int len, int *copy)
{
lua_State *L;
ngx_int_t rc;
ngx_connection_t *c, *fc = NULL;
ngx_http_request_t *r = NULL;
ngx_pool_cleanup_t *cln;
ngx_http_connection_t *hc;
ngx_http_lua_ssl_ctx_t *cctx;
ngx_http_lua_srv_conf_t *lscf;
ngx_http_core_loc_conf_t *clcf;
/* set copy to 0 as we expect OpenSSL to handle
* the memory of returned session */
*copy = 0;
c = ngx_ssl_get_connection(ssl_conn);
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
"ssl session fetch: connection reusable: %ud", c->reusable);
cctx = ngx_http_lua_ssl_get_ctx(c->ssl->connection);
dd("ssl sess_fetch handler, sess_fetch-ctx=%p", cctx);
if (cctx && cctx->entered_sess_fetch_handler) {
/* not the first time */
dd("here: %d", (int) cctx->entered_sess_fetch_handler);
if (cctx->done) {
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
"ssl_session_fetch_by_lua*: "
"sess get cb exit code: %d",
cctx->exit_code);
dd("lua ssl sess_fetch done, finally");
return cctx->session;
}
#ifdef SSL_ERROR_PENDING_SESSION
return SSL_magic_pending_session_ptr();
#else
ngx_log_error(NGX_LOG_CRIT, c->log, 0,
"lua: cannot yield in sess get cb: "
"missing async sess get cb support in OpenSSL");
return NULL;
#endif
}
dd("first time");
ngx_reusable_connection(c, 0);
hc = c->data;
fc = ngx_http_lua_create_fake_connection(NULL);
if (fc == NULL) {
goto failed;
}
fc->log->handler = ngx_http_lua_log_ssl_sess_fetch_error;
fc->log->data = fc;
fc->addr_text = c->addr_text;
fc->listening = c->listening;
r = ngx_http_lua_create_fake_request(fc);
if (r == NULL) {
goto failed;
}
r->main_conf = hc->conf_ctx->main_conf;
r->srv_conf = hc->conf_ctx->srv_conf;
r->loc_conf = hc->conf_ctx->loc_conf;
fc->log->file = c->log->file;
fc->log->log_level = c->log->log_level;
fc->ssl = c->ssl;
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
#if defined(nginx_version) && nginx_version >= 1003014
# if nginx_version >= 1009000
ngx_set_connection_log(fc, clcf->error_log);
# else
ngx_http_set_connection_log(fc, clcf->error_log);
# endif
#else
fc->log->file = clcf->error_log->file;
if (!(fc->log->log_level & NGX_LOG_DEBUG_CONNECTION)) {
fc->log->log_level = clcf->error_log->log_level;
}
#endif
if (cctx == NULL) {
cctx = ngx_pcalloc(c->pool, sizeof(ngx_http_lua_ssl_ctx_t));
if (cctx == NULL) {
goto failed; /* error */
}
}
cctx->exit_code = 1; /* successful by default */
cctx->connection = c;
cctx->request = r;
cctx->session_id.data = id;
cctx->session_id.len = len;
cctx->entered_sess_fetch_handler = 1;
cctx->done = 0;
dd("setting cctx = %p", cctx);
if (SSL_set_ex_data(c->ssl->connection, ngx_http_lua_ssl_ctx_index, cctx)
== 0)
{
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed");
goto failed;
}
lscf = ngx_http_get_module_srv_conf(r, ngx_http_lua_module);
/* TODO honor lua_code_cache off */
L = ngx_http_lua_get_lua_vm(r, NULL);
c->log->action = "fetching SSL session by lua";
rc = lscf->srv.ssl_sess_fetch_handler(r, lscf, L);
if (rc >= NGX_OK || rc == NGX_ERROR) {
cctx->done = 1;
if (cctx->cleanup) {
*cctx->cleanup = NULL;
}
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
"ssl_session_fetch_by_lua*: handler return value: %i, "
"sess get cb exit code: %d", rc, cctx->exit_code);
c->log->action = "SSL handshaking";
return cctx->session;
}
/* rc == NGX_DONE */
cln = ngx_pool_cleanup_add(fc->pool, 0);
if (cln == NULL) {
goto failed;
}
cln->handler = ngx_http_lua_ssl_sess_fetch_done;
cln->data = cctx;
if (cctx->cleanup == NULL) {
/* we only want exactly one cleanup handler to be registered with the
* connection to clean up cctx when connection is aborted */
cln = ngx_pool_cleanup_add(c->pool, 0);
if (cln == NULL) {
goto failed;
}
cln->data = cctx;
cctx->cleanup = &cln->handler;
}
*cctx->cleanup = ngx_http_lua_ssl_sess_fetch_aborted;
#ifdef SSL_ERROR_PENDING_SESSION
return SSL_magic_pending_session_ptr();
#else
ngx_log_error(NGX_LOG_CRIT, c->log, 0,
"lua: cannot yield in sess get cb: "
"missing async sess get cb support in OpenSSL");
/* fall through to the "failed" label below */
#endif
failed:
if (r && r->pool) {
ngx_http_lua_free_fake_request(r);
}
if (fc) {
ngx_http_lua_close_fake_connection(fc);
}
return NULL;
}
static int
ngx_http_multiple_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
{
ngx_connection_t *c;
ngx_http_connection_t *hc;
const char *servername;
ngx_str_t cert;
ngx_str_t key;
ngx_str_t host;
ngx_http_multiple_ssl_srv_conf_t *mscf;
c = ngx_ssl_get_connection(ssl_conn);
if (c == NULL) {
return 0;
}
hc = c->data;
if (NULL == hc) {
ngx_log_error(NGX_LOG_ERR, c->log, 0,
"multiple ssl connection data hc NULL");
return 0;
}
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
if (servername == NULL) {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
"multiple ssl SSL_get_servername NULL");
return SSL_TLSEXT_ERR_NOACK;
}
host.len = ngx_strlen(servername);
if (host.len == 0) {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
"multiple ssl servername len == 0");
return SSL_TLSEXT_ERR_NOACK;
}
host.data = (u_char *) servername;
ngx_log_error(NGX_LOG_INFO, c->log, 0, "multiple ssl servername \"%V\"", &host);
mscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_multiple_ssl_module);
if (NULL == mscf) {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "multiple ssl mscf NULL");
return SSL_TLSEXT_ERR_NOACK;
}
if (!mscf->multiple_ssl_enable) {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
"multiple ssl multiple_ssl_enable OFF");
return SSL_TLSEXT_ERR_NOACK;
}
cert.len = mscf->multiple_ssl_cert_path.len + 2 + host.len + ngx_strlen(".cert.der");
key.len = mscf->multiple_ssl_cert_path.len + 2 + host.len + ngx_strlen(".key.der");
cert.data = ngx_pnalloc(c->pool, cert.len);
if (NULL == cert.data) {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "multiple ssl cert.data NULL");
return SSL_TLSEXT_ERR_NOACK;
}
ngx_memzero(cert.data, cert.len);
ngx_sprintf(cert.data, "%V/%V.cert.der", &mscf->multiple_ssl_cert_path, &host);
*(cert.data+cert.len) = 0;
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "multiple ssl cert %V", &cert);
key.data = ngx_pnalloc(c->pool, key.len+1);
if (NULL == key.data) {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "multiple ssl key.data NULL");
return SSL_TLSEXT_ERR_NOACK;
}
ngx_memzero(key.data, key.len);
ngx_sprintf(key.data, "%V/%V.key.der", &mscf->multiple_ssl_cert_path, &host);
*(key.data+key.len) = 0;
if (0 != access((const char *)cert.data, F_OK|R_OK)) {
ngx_log_debug1(NGX_LOG_WARN, c->log, 0, "multiple ssl cert [%V] not exists or not read", &cert);
return SSL_TLSEXT_ERR_NOACK;
}
ngx_http_multiple_ssl_set_der_certificate(ssl_conn, &cert, &key);
return SSL_TLSEXT_ERR_OK;
}
