nginx-0.3.57-RELEASE import
*) Feature: the $ssl_client_serial variable.
*) Bugfix: in the "!-e" operator of the "if" directive.
Thanks to Andrian Budanstov.
*) Bugfix: while a client certificate verification nginx did not send
to a client the required certificates information.
*) Bugfix: the $document_root variable did not support the variables in
the "root" directive.
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index 344f613..30c2d11 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -9,7 +9,8 @@
#include <ngx_http.h>
-typedef u_char *(*ngx_ssl_variable_handler_pt)(ngx_connection_t *);
+typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
+ ngx_pool_t *pool, ngx_str_t *s);
#define NGX_DEFLAUT_CERTIFICATE "cert.pem"
@@ -17,13 +18,10 @@
#define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
-static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
+static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
+ ngx_http_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data);
-static ngx_int_t ngx_http_ssl_client_s_dn(ngx_http_request_t *r,
- ngx_http_variable_value_t *v, uintptr_t data);
-static ngx_int_t ngx_http_ssl_client_i_dn(ngx_http_request_t *r,
- ngx_http_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf);
static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf);
@@ -161,17 +159,20 @@
static ngx_http_variable_t ngx_http_ssl_vars[] = {
- { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_variable,
+ { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable,
(uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGABLE, 0 },
- { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_variable,
+ { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
(uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGABLE, 0 },
- { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_client_s_dn,
- 0, NGX_HTTP_VAR_CHANGABLE, 0 },
+ { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGABLE, 0 },
- { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_client_i_dn,
- 0, NGX_HTTP_VAR_CHANGABLE, 0 },
+ { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGABLE, 0 },
+
+ { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGABLE, 0 },
{ ngx_null_string, NULL, NULL, 0, 0, 0 }
};
@@ -181,25 +182,23 @@
static ngx_int_t
-ngx_http_ssl_variable(ngx_http_request_t *r,
+ngx_http_ssl_static_variable(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data)
{
- ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data;
+ ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data;
- size_t len;
- u_char *name;
+ size_t len;
if (r->connection->ssl) {
- name = handler(r->connection);
+ (void) handler(r->connection, NULL, (ngx_str_t *) v);
- for (len = 0; name[len]; len++) { /* void */ }
+ for (len = 0; v->data[len]; len++) { /* void */ }
v->len = len;
v->valid = 1;
v->no_cachable = 0;
v->not_found = 0;
- v->data = name;
return NGX_OK;
}
@@ -211,39 +210,13 @@
static ngx_int_t
-ngx_http_ssl_client_s_dn(ngx_http_request_t *r, ngx_http_variable_value_t *v,
+ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v,
uintptr_t data)
{
+ ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data;
+
if (r->connection->ssl) {
- if (ngx_ssl_get_subject_dn(r->connection, r->pool, (ngx_str_t *) v)
- != NGX_OK)
- {
- return NGX_ERROR;
- }
-
- if (v->len) {
- v->valid = 1;
- v->no_cachable = 0;
- v->not_found = 0;
-
- return NGX_OK;
- }
- }
-
- v->not_found = 1;
-
- return NGX_OK;
-}
-
-
-static ngx_int_t
-ngx_http_ssl_client_i_dn(ngx_http_request_t *r, ngx_http_variable_value_t *v,
- uintptr_t data)
-{
- if (r->connection->ssl) {
- if (ngx_ssl_get_issuer_dn(r->connection, r->pool, (ngx_str_t *) v)
- != NGX_OK)
- {
+ if (handler(r->connection, r->pool, (ngx_str_t *) v) != NGX_OK) {
return NGX_ERROR;
}
@@ -385,18 +358,11 @@
}
if (conf->verify) {
- SSL_CTX_set_verify(conf->ssl.ctx, NGX_SSL_VERIFY,
- ngx_http_ssl_verify_callback);
-
- SSL_CTX_set_verify_depth(conf->ssl.ctx, conf->verify_depth);
-
- if (conf->client_certificate.len) {
- if (ngx_ssl_client_certificate(cf, &conf->ssl,
- &conf->client_certificate)
- != NGX_OK)
- {
- return NGX_CONF_ERROR;
- }
+ if (ngx_ssl_client_certificate(cf, &conf->ssl,
+ &conf->client_certificate, conf->verify_depth)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
}
}
@@ -424,13 +390,6 @@
}
-static int
-ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
-{
- return 1;
-}
-
-
#if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE)
static char *
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index eb4934e..9d33d3a 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -1072,7 +1072,7 @@
} else {
if (ngx_http_script_run(r, path, clcf->root_lengths->elts, reserved,
- clcf->root_values->elts)
+ clcf->root_values->elts)
== NULL)
{
return NULL;
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 42933e8..417f3df 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1344,7 +1344,7 @@
if (rc != X509_V_OK) {
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
- "client SSL certificate verify error: (%l:%s) ",
+ "client SSL certificate verify error: (%l:%s)",
rc, X509_verify_cert_error_string(rc));
ngx_http_finalize_request(r, NGX_HTTPS_CERT_ERROR);
return NGX_ERROR;
diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
index 947bce6..1918397 100644
--- a/src/http/ngx_http_script.c
+++ b/src/http/ngx_http_script.c
@@ -960,13 +960,16 @@
}
switch (code->op) {
+
case ngx_http_script_file_plain:
case ngx_http_script_file_dir:
case ngx_http_script_file_exists:
case ngx_http_script_file_exec:
goto false;
+
case ngx_http_script_file_not_plain:
case ngx_http_script_file_not_dir:
+ case ngx_http_script_file_not_exists:
case ngx_http_script_file_not_exec:
goto true;
}
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index 8ca24e2..5e22f2d 100644
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -769,7 +769,8 @@
static void
ngx_http_upstream_send_request(ngx_http_request_t *r, ngx_http_upstream_t *u)
{
- int rc;
+ int rc, err;
+ socklen_t len;
ngx_connection_t *c;
c = u->peer.connection;
@@ -777,19 +778,42 @@
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
"http upstream send request");
+ if (!u->request_sent) {
+
#if (NGX_HAVE_KQUEUE)
- if ((ngx_event_flags & NGX_USE_KQUEUE_EVENT)
- && !u->request_sent
- && c->write->pending_eof)
- {
- (void) ngx_connection_error(c, c->write->kq_errno,
+ if (ngx_event_flags & NGX_USE_KQUEUE_EVENT) {
+ if (c->write->pending_eof) {
+ (void) ngx_connection_error(c, c->write->kq_errno,
"kevent() reported that connect() failed");
- ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
- return;
- }
+ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
+ return;
+ }
+ } else
#endif
+ {
+ err = 0;
+ len = sizeof(int);
+
+ /*
+ * BSDs and Linux return 0 and set a pending error in err
+ * Solaris returns -1 and sets errno
+ */
+
+ if (getsockopt(c->fd, SOL_SOCKET, SO_ERROR, (void *) &err, &len)
+ == -1)
+ {
+ err = ngx_errno;
+ }
+
+ if (err) {
+ (void) ngx_connection_error(c, err, "connect() failed");
+ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
+ return;
+ }
+ }
+ }
c->log->action = "sending request to upstream";
diff --git a/src/http/ngx_http_variables.c b/src/http/ngx_http_variables.c
index f151f87..d5fbfc9 100644
--- a/src/http/ngx_http_variables.c
+++ b/src/http/ngx_http_variables.c
@@ -137,7 +137,7 @@
offsetof(ngx_http_request_t, request_line), 0, 0 },
{ ngx_string("document_root"), NULL,
- ngx_http_variable_document_root, 0, 0, 0 },
+ ngx_http_variable_document_root, 0, NGX_HTTP_VAR_NOCACHABLE, 0 },
{ ngx_string("query_string"), NULL, ngx_http_variable_request,
offsetof(ngx_http_request_t, args),
@@ -775,15 +775,36 @@
ngx_http_variable_document_root(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data)
{
+ ngx_str_t path;
ngx_http_core_loc_conf_t *clcf;
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
- v->len = clcf->root.len;
- v->valid = 1;
- v->no_cachable = 0;
- v->not_found = 0;
- v->data = clcf->root.data;
+ if (clcf->root_lengths == NULL) {
+ v->len = clcf->root.len;
+ v->valid = 1;
+ v->no_cachable = 0;
+ v->not_found = 0;
+ v->data = clcf->root.data;
+
+ } else {
+ if (ngx_http_script_run(r, &path, clcf->root_lengths->elts, 0,
+ clcf->root_values->elts)
+ == NULL)
+ {
+ return NGX_ERROR;
+ }
+
+ if (ngx_conf_full_name((ngx_cycle_t *) ngx_cycle, &path) == NGX_ERROR) {
+ return NGX_ERROR;
+ }
+
+ v->len = path.len;
+ v->valid = 1;
+ v->no_cachable = 0;
+ v->not_found = 0;
+ v->data = path.data;
+ }
return NGX_OK;
}
