summaryrefslogtreecommitdiffhomepage
path: root/src/event/ngx_event_openssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/event/ngx_event_openssl.c')
-rw-r--r--src/event/ngx_event_openssl.c78
1 files changed, 30 insertions, 48 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 8d1f5695c..3ed003062 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -131,10 +131,8 @@ int ngx_ssl_server_conf_index;
int ngx_ssl_session_cache_index;
int ngx_ssl_ticket_keys_index;
int ngx_ssl_ocsp_index;
-int ngx_ssl_certificate_index;
-int ngx_ssl_next_certificate_index;
+int ngx_ssl_index;
int ngx_ssl_certificate_name_index;
-int ngx_ssl_stapling_index;
ngx_int_t
@@ -258,21 +256,14 @@ ngx_ssl_init(ngx_log_t *log)
return NGX_ERROR;
}
- ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
- NULL);
- if (ngx_ssl_certificate_index == -1) {
+ ngx_ssl_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+
+ if (ngx_ssl_index == -1) {
ngx_ssl_error(NGX_LOG_ALERT, log, 0,
"SSL_CTX_get_ex_new_index() failed");
return NGX_ERROR;
}
- ngx_ssl_next_certificate_index = X509_get_ex_new_index(0, NULL, NULL, NULL,
- NULL);
- if (ngx_ssl_next_certificate_index == -1) {
- ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
- return NGX_ERROR;
- }
-
ngx_ssl_certificate_name_index = X509_get_ex_new_index(0, NULL, NULL, NULL,
NULL);
@@ -281,13 +272,6 @@ ngx_ssl_init(ngx_log_t *log)
return NGX_ERROR;
}
- ngx_ssl_stapling_index = X509_get_ex_new_index(0, NULL, NULL, NULL, NULL);
-
- if (ngx_ssl_stapling_index == -1) {
- ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
- return NGX_ERROR;
- }
-
return NGX_OK;
}
@@ -308,12 +292,15 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
return NGX_ERROR;
}
- if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, NULL) == 0) {
+ if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_index, ssl) == 0) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"SSL_CTX_set_ex_data() failed");
return NGX_ERROR;
}
+ ngx_rbtree_init(&ssl->staple_rbtree, &ssl->staple_sentinel,
+ ngx_rbtree_insert_value);
+
ssl->buffer_size = NGX_SSL_BUFSIZE;
/* client side options */
@@ -458,7 +445,7 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
ngx_str_t *key, ngx_array_t *passwords)
{
char *err;
- X509 *x509;
+ X509 *x509, **elm;
EVP_PKEY *pkey;
STACK_OF(X509) *chain;
@@ -490,29 +477,29 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
return NGX_ERROR;
}
- if (X509_set_ex_data(x509, ngx_ssl_next_certificate_index,
- SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index))
- == 0)
- {
- ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
- X509_free(x509);
- sk_X509_pop_free(chain, X509_free);
- return NGX_ERROR;
+ if (ssl->certs.elts == NULL) {
+ if (ngx_array_init(&ssl->certs, cf->pool, 1, sizeof(X509 *))
+ != NGX_OK)
+ {
+ X509_free(x509);
+ sk_X509_pop_free(chain, X509_free);
+ return NGX_ERROR;
+ }
}
- if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, x509) == 0) {
- ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
- "SSL_CTX_set_ex_data() failed");
+ elm = ngx_array_push(&ssl->certs);
+ if (elm == NULL) {
X509_free(x509);
sk_X509_pop_free(chain, X509_free);
return NGX_ERROR;
}
+ *elm = x509;
+
/*
* Note that x509 is not freed here, but will be instead freed in
* ngx_ssl_cleanup_ctx(). This is because we need to preserve all
- * certificates to be able to iterate all of them through exdata
- * (ngx_ssl_certificate_index, ngx_ssl_next_certificate_index),
+ * certificates to be able to iterate all of them through ssl->certs,
* while OpenSSL can free a certificate if it is replaced with another
* certificate of the same type.
*/
@@ -3820,10 +3807,9 @@ ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
goto failed;
}
- for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
- cert;
- cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
- {
+ for (k = 0; k < ssl->certs.nelts; k++) {
+ cert = ((X509 **) ssl->certs.elts)[k];
+
if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"X509_digest() failed");
@@ -3837,9 +3823,7 @@ ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
}
}
- if (SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index) == NULL
- && certificates != NULL)
- {
+ if (ssl->certs.nelts == 0 && certificates != NULL) {
/*
* If certificates are loaded dynamically, we use certificate
* names as specified in the configuration (with variables).
@@ -4851,14 +4835,12 @@ ngx_ssl_cleanup_ctx(void *data)
{
ngx_ssl_t *ssl = data;
- X509 *cert, *next;
-
- cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
+ X509 *cert;
+ ngx_uint_t i;
- while (cert) {
- next = X509_get_ex_data(cert, ngx_ssl_next_certificate_index);
+ for (i = 0; i < ssl->certs.nelts; i++) {
+ cert = ((X509 **) ssl->certs.elts)[i];
X509_free(cert);
- cert = next;
}
SSL_CTX_free(ssl->ctx);
generated by cgit (git 2.34.1) at 2026-01-04 09:12:17 +0000