[nginx] SSL: stop accessing SSL_SESSION's fields directly.
|
Maxim Dounin
July 08, 2014 09:50PM
|
details: http://hg.nginx.org/nginx/rev/5b7276408565
branches:
changeset: 5756:5b7276408565
user: Piotr Sikora <piotr@cloudflare.com>
date: Sun Jul 06 16:41:14 2014 -0700
description:
SSL: stop accessing SSL_SESSION's fields directly.
SSL_SESSION struct is internal part of the OpenSSL library and it's fields
should be accessed via API (when exposed), not directly.
The unfortunate side-effect of this change is that we're losing reference
count that used to be printed at the debug log level, but this seems to be
an acceptable trade-off.
Almost fixes build with -DOPENSSL_NO_SSL_INTERN.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
diffstat:
src/event/ngx_event_openssl.c | 58 +++++++++++++++++++++++--------
src/http/ngx_http_upstream_round_robin.c | 14 +++----
2 files changed, 49 insertions(+), 23 deletions(-)
diffs (178 lines):
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -2078,9 +2078,10 @@ static int
ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
{
int len;
- u_char *p, *id, *cached_sess;
+ u_char *p, *id, *cached_sess, *session_id;
uint32_t hash;
SSL_CTX *ssl_ctx;
+ unsigned int session_id_length;
ngx_shm_zone_t *shm_zone;
ngx_connection_t *c;
ngx_slab_pool_t *shpool;
@@ -2143,13 +2144,24 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_
}
}
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+
+ session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
+
+#else
+
+ session_id = sess->session_id;
+ session_id_length = sess->session_id_length;
+
+#endif
+
#if (NGX_PTR_SIZE == 8)
id = sess_id->sess_id;
#else
- id = ngx_slab_alloc_locked(shpool, sess->session_id_length);
+ id = ngx_slab_alloc_locked(shpool, session_id_length);
if (id == NULL) {
@@ -2157,7 +2169,7 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_
ngx_ssl_expire_sessions(cache, shpool, 0);
- id = ngx_slab_alloc_locked(shpool, sess->session_id_length);
+ id = ngx_slab_alloc_locked(shpool, session_id_length);
if (id == NULL) {
goto failed;
@@ -2168,16 +2180,16 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_
ngx_memcpy(cached_sess, buf, len);
- ngx_memcpy(id, sess->session_id, sess->session_id_length);
-
- hash = ngx_crc32_short(sess->session_id, sess->session_id_length);
+ ngx_memcpy(id, session_id, session_id_length);
+
+ hash = ngx_crc32_short(session_id, session_id_length);
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
- "ssl new session: %08XD:%d:%d",
- hash, sess->session_id_length, len);
+ "ssl new session: %08XD:%ud:%d",
+ hash, session_id_length, len);
sess_id->node.key = hash;
- sess_id->node.data = (u_char) sess->session_id_length;
+ sess_id->node.data = (u_char) session_id_length;
sess_id->id = id;
sess_id->len = len;
sess_id->session = cached_sess;
@@ -2325,10 +2337,10 @@ ngx_ssl_remove_cached_session(SSL_CTX *s
static void
ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
{
- size_t len;
u_char *id;
uint32_t hash;
ngx_int_t rc;
+ unsigned int len;
ngx_shm_zone_t *shm_zone;
ngx_slab_pool_t *shpool;
ngx_rbtree_node_t *node, *sentinel;
@@ -2343,13 +2355,21 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx
cache = shm_zone->data;
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+
+ id = (u_char *) SSL_SESSION_get_id(sess, &len);
+
+#else
+
id = sess->session_id;
- len = (size_t) sess->session_id_length;
+ len = sess->session_id_length;
+
+#endif
hash = ngx_crc32_short(id, len);
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
- "ssl remove session: %08XD:%uz", hash, len);
+ "ssl remove session: %08XD:%ud", hash, len);
shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
@@ -2891,9 +2911,9 @@ ngx_ssl_get_cipher_name(ngx_connection_t
ngx_int_t
ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
- int len;
- u_char *buf;
- SSL_SESSION *sess;
+ u_char *buf;
+ SSL_SESSION *sess;
+ unsigned int len;
sess = SSL_get0_session(c->ssl->connection);
if (sess == NULL) {
@@ -2901,9 +2921,17 @@ ngx_ssl_get_session_id(ngx_connection_t
return NGX_OK;
}
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+
+ buf = (u_char *) SSL_SESSION_get_id(sess, &len);
+
+#else
+
buf = sess->session_id;
len = sess->session_id_length;
+#endif
+
s->len = 2 * len;
s->data = ngx_pnalloc(pool, 2 * len);
if (s->data == NULL) {
diff --git a/src/http/ngx_http_upstream_round_robin.c b/src/http/ngx_http_upstream_round_robin.c
--- a/src/http/ngx_http_upstream_round_robin.c
+++ b/src/http/ngx_http_upstream_round_robin.c
@@ -632,9 +632,8 @@ ngx_http_upstream_set_round_robin_peer_s
rc = ngx_ssl_set_session(pc->connection, ssl_session);
- ngx_log_debug2(NGX_LOG_DEBUG_HTTP, pc->log, 0,
- "set session: %p:%d",
- ssl_session, ssl_session ? ssl_session->references : 0);
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0,
+ "set session: %p", ssl_session);
/* ngx_unlock_mutex(rrp->peers->mutex); */
@@ -657,8 +656,8 @@ ngx_http_upstream_save_round_robin_peer_
return;
}
- ngx_log_debug2(NGX_LOG_DEBUG_HTTP, pc->log, 0,
- "save session: %p:%d", ssl_session, ssl_session->references);
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0,
+ "save session: %p", ssl_session);
peer = &rrp->peers->peer[rrp->current];
@@ -672,9 +671,8 @@ ngx_http_upstream_save_round_robin_peer_
if (old_ssl_session) {
- ngx_log_debug2(NGX_LOG_DEBUG_HTTP, pc->log, 0,
- "old session: %p:%d",
- old_ssl_session, old_ssl_session->references);
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0,
+ "old session: %p", old_ssl_session);
/* TODO: may block */
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
branches:
changeset: 5756:5b7276408565
user: Piotr Sikora <piotr@cloudflare.com>
date: Sun Jul 06 16:41:14 2014 -0700
description:
SSL: stop accessing SSL_SESSION's fields directly.
SSL_SESSION struct is internal part of the OpenSSL library and it's fields
should be accessed via API (when exposed), not directly.
The unfortunate side-effect of this change is that we're losing reference
count that used to be printed at the debug log level, but this seems to be
an acceptable trade-off.
Almost fixes build with -DOPENSSL_NO_SSL_INTERN.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
diffstat:
src/event/ngx_event_openssl.c | 58 +++++++++++++++++++++++--------
src/http/ngx_http_upstream_round_robin.c | 14 +++----
2 files changed, 49 insertions(+), 23 deletions(-)
diffs (178 lines):
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -2078,9 +2078,10 @@ static int
ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
{
int len;
- u_char *p, *id, *cached_sess;
+ u_char *p, *id, *cached_sess, *session_id;
uint32_t hash;
SSL_CTX *ssl_ctx;
+ unsigned int session_id_length;
ngx_shm_zone_t *shm_zone;
ngx_connection_t *c;
ngx_slab_pool_t *shpool;
@@ -2143,13 +2144,24 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_
}
}
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+
+ session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
+
+#else
+
+ session_id = sess->session_id;
+ session_id_length = sess->session_id_length;
+
+#endif
+
#if (NGX_PTR_SIZE == 8)
id = sess_id->sess_id;
#else
- id = ngx_slab_alloc_locked(shpool, sess->session_id_length);
+ id = ngx_slab_alloc_locked(shpool, session_id_length);
if (id == NULL) {
@@ -2157,7 +2169,7 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_
ngx_ssl_expire_sessions(cache, shpool, 0);
- id = ngx_slab_alloc_locked(shpool, sess->session_id_length);
+ id = ngx_slab_alloc_locked(shpool, session_id_length);
if (id == NULL) {
goto failed;
@@ -2168,16 +2180,16 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_
ngx_memcpy(cached_sess, buf, len);
- ngx_memcpy(id, sess->session_id, sess->session_id_length);
-
- hash = ngx_crc32_short(sess->session_id, sess->session_id_length);
+ ngx_memcpy(id, session_id, session_id_length);
+
+ hash = ngx_crc32_short(session_id, session_id_length);
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
- "ssl new session: %08XD:%d:%d",
- hash, sess->session_id_length, len);
+ "ssl new session: %08XD:%ud:%d",
+ hash, session_id_length, len);
sess_id->node.key = hash;
- sess_id->node.data = (u_char) sess->session_id_length;
+ sess_id->node.data = (u_char) session_id_length;
sess_id->id = id;
sess_id->len = len;
sess_id->session = cached_sess;
@@ -2325,10 +2337,10 @@ ngx_ssl_remove_cached_session(SSL_CTX *s
static void
ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
{
- size_t len;
u_char *id;
uint32_t hash;
ngx_int_t rc;
+ unsigned int len;
ngx_shm_zone_t *shm_zone;
ngx_slab_pool_t *shpool;
ngx_rbtree_node_t *node, *sentinel;
@@ -2343,13 +2355,21 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx
cache = shm_zone->data;
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+
+ id = (u_char *) SSL_SESSION_get_id(sess, &len);
+
+#else
+
id = sess->session_id;
- len = (size_t) sess->session_id_length;
+ len = sess->session_id_length;
+
+#endif
hash = ngx_crc32_short(id, len);
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
- "ssl remove session: %08XD:%uz", hash, len);
+ "ssl remove session: %08XD:%ud", hash, len);
shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
@@ -2891,9 +2911,9 @@ ngx_ssl_get_cipher_name(ngx_connection_t
ngx_int_t
ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
- int len;
- u_char *buf;
- SSL_SESSION *sess;
+ u_char *buf;
+ SSL_SESSION *sess;
+ unsigned int len;
sess = SSL_get0_session(c->ssl->connection);
if (sess == NULL) {
@@ -2901,9 +2921,17 @@ ngx_ssl_get_session_id(ngx_connection_t
return NGX_OK;
}
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+
+ buf = (u_char *) SSL_SESSION_get_id(sess, &len);
+
+#else
+
buf = sess->session_id;
len = sess->session_id_length;
+#endif
+
s->len = 2 * len;
s->data = ngx_pnalloc(pool, 2 * len);
if (s->data == NULL) {
diff --git a/src/http/ngx_http_upstream_round_robin.c b/src/http/ngx_http_upstream_round_robin.c
--- a/src/http/ngx_http_upstream_round_robin.c
+++ b/src/http/ngx_http_upstream_round_robin.c
@@ -632,9 +632,8 @@ ngx_http_upstream_set_round_robin_peer_s
rc = ngx_ssl_set_session(pc->connection, ssl_session);
- ngx_log_debug2(NGX_LOG_DEBUG_HTTP, pc->log, 0,
- "set session: %p:%d",
- ssl_session, ssl_session ? ssl_session->references : 0);
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0,
+ "set session: %p", ssl_session);
/* ngx_unlock_mutex(rrp->peers->mutex); */
@@ -657,8 +656,8 @@ ngx_http_upstream_save_round_robin_peer_
return;
}
- ngx_log_debug2(NGX_LOG_DEBUG_HTTP, pc->log, 0,
- "save session: %p:%d", ssl_session, ssl_session->references);
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0,
+ "save session: %p", ssl_session);
peer = &rrp->peers->peer[rrp->current];
@@ -672,9 +671,8 @@ ngx_http_upstream_save_round_robin_peer_
if (old_ssl_session) {
- ngx_log_debug2(NGX_LOG_DEBUG_HTTP, pc->log, 0,
- "old session: %p:%d",
- old_ssl_session, old_ssl_session->references);
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0,
+ "old session: %p", old_ssl_session);
/* TODO: may block */
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
| Subject | Author | Views | Posted |
|---|---|---|---|
|
Maxim Dounin | 582 | July 08, 2014 09:50PM |
Sorry, you do not have permission to post/reply in this forum.
Online Users
Guests:
255
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|