mirror of
https://github.com/nginx/nginx.git
synced 2024-12-05 06:19:01 +08:00
SSL: stop accessing SSL_SESSION's fields directly.
SSL_SESSION struct is internal part of the OpenSSL library and it's fields should be accessed via API (when exposed), not directly. The unfortunate side-effect of this change is that we're losing reference count that used to be printed at the debug log level, but this seems to be an acceptable trade-off. Almost fixes build with -DOPENSSL_NO_SSL_INTERN. Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
This commit is contained in:
parent
ce64398751
commit
d224ed7eea
@ -2078,9 +2078,10 @@ static int
|
|||||||
ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
|
ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
|
||||||
{
|
{
|
||||||
int len;
|
int len;
|
||||||
u_char *p, *id, *cached_sess;
|
u_char *p, *id, *cached_sess, *session_id;
|
||||||
uint32_t hash;
|
uint32_t hash;
|
||||||
SSL_CTX *ssl_ctx;
|
SSL_CTX *ssl_ctx;
|
||||||
|
unsigned int session_id_length;
|
||||||
ngx_shm_zone_t *shm_zone;
|
ngx_shm_zone_t *shm_zone;
|
||||||
ngx_connection_t *c;
|
ngx_connection_t *c;
|
||||||
ngx_slab_pool_t *shpool;
|
ngx_slab_pool_t *shpool;
|
||||||
@ -2143,13 +2144,24 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
|
||||||
|
|
||||||
|
session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
|
||||||
|
|
||||||
|
#else
|
||||||
|
|
||||||
|
session_id = sess->session_id;
|
||||||
|
session_id_length = sess->session_id_length;
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
#if (NGX_PTR_SIZE == 8)
|
#if (NGX_PTR_SIZE == 8)
|
||||||
|
|
||||||
id = sess_id->sess_id;
|
id = sess_id->sess_id;
|
||||||
|
|
||||||
#else
|
#else
|
||||||
|
|
||||||
id = ngx_slab_alloc_locked(shpool, sess->session_id_length);
|
id = ngx_slab_alloc_locked(shpool, session_id_length);
|
||||||
|
|
||||||
if (id == NULL) {
|
if (id == NULL) {
|
||||||
|
|
||||||
@ -2157,7 +2169,7 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
|
|||||||
|
|
||||||
ngx_ssl_expire_sessions(cache, shpool, 0);
|
ngx_ssl_expire_sessions(cache, shpool, 0);
|
||||||
|
|
||||||
id = ngx_slab_alloc_locked(shpool, sess->session_id_length);
|
id = ngx_slab_alloc_locked(shpool, session_id_length);
|
||||||
|
|
||||||
if (id == NULL) {
|
if (id == NULL) {
|
||||||
goto failed;
|
goto failed;
|
||||||
@ -2168,16 +2180,16 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
|
|||||||
|
|
||||||
ngx_memcpy(cached_sess, buf, len);
|
ngx_memcpy(cached_sess, buf, len);
|
||||||
|
|
||||||
ngx_memcpy(id, sess->session_id, sess->session_id_length);
|
ngx_memcpy(id, session_id, session_id_length);
|
||||||
|
|
||||||
hash = ngx_crc32_short(sess->session_id, sess->session_id_length);
|
hash = ngx_crc32_short(session_id, session_id_length);
|
||||||
|
|
||||||
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||||
"ssl new session: %08XD:%d:%d",
|
"ssl new session: %08XD:%ud:%d",
|
||||||
hash, sess->session_id_length, len);
|
hash, session_id_length, len);
|
||||||
|
|
||||||
sess_id->node.key = hash;
|
sess_id->node.key = hash;
|
||||||
sess_id->node.data = (u_char) sess->session_id_length;
|
sess_id->node.data = (u_char) session_id_length;
|
||||||
sess_id->id = id;
|
sess_id->id = id;
|
||||||
sess_id->len = len;
|
sess_id->len = len;
|
||||||
sess_id->session = cached_sess;
|
sess_id->session = cached_sess;
|
||||||
@ -2325,10 +2337,10 @@ ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
|
|||||||
static void
|
static void
|
||||||
ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
|
ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
|
||||||
{
|
{
|
||||||
size_t len;
|
|
||||||
u_char *id;
|
u_char *id;
|
||||||
uint32_t hash;
|
uint32_t hash;
|
||||||
ngx_int_t rc;
|
ngx_int_t rc;
|
||||||
|
unsigned int len;
|
||||||
ngx_shm_zone_t *shm_zone;
|
ngx_shm_zone_t *shm_zone;
|
||||||
ngx_slab_pool_t *shpool;
|
ngx_slab_pool_t *shpool;
|
||||||
ngx_rbtree_node_t *node, *sentinel;
|
ngx_rbtree_node_t *node, *sentinel;
|
||||||
@ -2343,13 +2355,21 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
|
|||||||
|
|
||||||
cache = shm_zone->data;
|
cache = shm_zone->data;
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
|
||||||
|
|
||||||
|
id = (u_char *) SSL_SESSION_get_id(sess, &len);
|
||||||
|
|
||||||
|
#else
|
||||||
|
|
||||||
id = sess->session_id;
|
id = sess->session_id;
|
||||||
len = (size_t) sess->session_id_length;
|
len = sess->session_id_length;
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
hash = ngx_crc32_short(id, len);
|
hash = ngx_crc32_short(id, len);
|
||||||
|
|
||||||
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
|
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
|
||||||
"ssl remove session: %08XD:%uz", hash, len);
|
"ssl remove session: %08XD:%ud", hash, len);
|
||||||
|
|
||||||
shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
|
shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
|
||||||
|
|
||||||
@ -2891,9 +2911,9 @@ ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
|||||||
ngx_int_t
|
ngx_int_t
|
||||||
ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
||||||
{
|
{
|
||||||
int len;
|
|
||||||
u_char *buf;
|
u_char *buf;
|
||||||
SSL_SESSION *sess;
|
SSL_SESSION *sess;
|
||||||
|
unsigned int len;
|
||||||
|
|
||||||
sess = SSL_get0_session(c->ssl->connection);
|
sess = SSL_get0_session(c->ssl->connection);
|
||||||
if (sess == NULL) {
|
if (sess == NULL) {
|
||||||
@ -2901,9 +2921,17 @@ ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
|||||||
return NGX_OK;
|
return NGX_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
|
||||||
|
|
||||||
|
buf = (u_char *) SSL_SESSION_get_id(sess, &len);
|
||||||
|
|
||||||
|
#else
|
||||||
|
|
||||||
buf = sess->session_id;
|
buf = sess->session_id;
|
||||||
len = sess->session_id_length;
|
len = sess->session_id_length;
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
s->len = 2 * len;
|
s->len = 2 * len;
|
||||||
s->data = ngx_pnalloc(pool, 2 * len);
|
s->data = ngx_pnalloc(pool, 2 * len);
|
||||||
if (s->data == NULL) {
|
if (s->data == NULL) {
|
||||||
|
@ -632,9 +632,8 @@ ngx_http_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||||||
|
|
||||||
rc = ngx_ssl_set_session(pc->connection, ssl_session);
|
rc = ngx_ssl_set_session(pc->connection, ssl_session);
|
||||||
|
|
||||||
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, pc->log, 0,
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0,
|
||||||
"set session: %p:%d",
|
"set session: %p", ssl_session);
|
||||||
ssl_session, ssl_session ? ssl_session->references : 0);
|
|
||||||
|
|
||||||
/* ngx_unlock_mutex(rrp->peers->mutex); */
|
/* ngx_unlock_mutex(rrp->peers->mutex); */
|
||||||
|
|
||||||
@ -657,8 +656,8 @@ ngx_http_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, pc->log, 0,
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0,
|
||||||
"save session: %p:%d", ssl_session, ssl_session->references);
|
"save session: %p", ssl_session);
|
||||||
|
|
||||||
peer = &rrp->peers->peer[rrp->current];
|
peer = &rrp->peers->peer[rrp->current];
|
||||||
|
|
||||||
@ -672,9 +671,8 @@ ngx_http_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||||||
|
|
||||||
if (old_ssl_session) {
|
if (old_ssl_session) {
|
||||||
|
|
||||||
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, pc->log, 0,
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0,
|
||||||
"old session: %p:%d",
|
"old session: %p", old_ssl_session);
|
||||||
old_ssl_session, old_ssl_session->references);
|
|
||||||
|
|
||||||
/* TODO: may block */
|
/* TODO: may block */
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user