Mercurial > hg > nginx-vendor-current

comparison src/event/ngx_event_openssl.c @ 380:bc21d9cd9c54 NGINX_0_7_2

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx 0.7.2 *) Feature: now nginx supports EDH key exchange ciphers. *) Feature: the "ssl_dhparam" directive. *) Feature: the $ssl_client_cert variable. Thanks to Manlio Perillo. *) Bugfix: after changing URI via a "rewrite" directive nginx did not search a new location; bug appeared in 0.7.1. Thanks to Maxim Dounin. *) Bugfix: nginx could not be built without PCRE library; bug appeared in 0.7.1. *) Bugfix: when a request to a directory was redirected with the slash added, nginx dropped a query string from the original request.
author Igor Sysoev <http://sysoev.ru>
date Mon, 16 Jun 2008 00:00:00 +0400
parents 820f6378fc00
children 984bb0b1399b
comparison
equal deleted inserted replaced
379:9d9dad60269f 380:bc21d9cd9c54
180 180
181 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 181 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
182 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); 182 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
183 #endif 183 #endif
184 184
185 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
185 186
186 if (ngx_ssl_protocols[protocols >> 1] != 0) { 187 if (ngx_ssl_protocols[protocols >> 1] != 0) {
187 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); 188 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
188 } 189 }
189 190
346 } 347 }
347 348
348 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "RSA_generate_key(512) failed"); 349 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "RSA_generate_key(512) failed");
349 350
350 return NGX_ERROR; 351 return NGX_ERROR;
352 }
353
354
355 ngx_int_t
356 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
357 {
358 DH *dh;
359 BIO *bio;
360
361 /*
362 * -----BEGIN DH PARAMETERS-----
363 * MIGHAoGBALu8LcrYRnSQfEP89YDpz9vZWKP1aLQtSwju1OsPs1BMbAMCducQgAxc
364 * y7qokiYUxb7spWWl/fHSh6K8BJvmd4Bg6RqSp1fjBI9osHb302zI8pul34HcLKcl
365 * 7OZicMyaUDXYzs7vnqAnSmOrHlj6/UmI0PZdFGdX2gcd8EXP4WubAgEC
366 * -----END DH PARAMETERS-----
367 */
368
369 static unsigned char dh1024_p[] = {
370 0xBB, 0xBC, 0x2D, 0xCA, 0xD8, 0x46, 0x74, 0x90, 0x7C, 0x43, 0xFC, 0xF5,
371 0x80, 0xE9, 0xCF, 0xDB, 0xD9, 0x58, 0xA3, 0xF5, 0x68, 0xB4, 0x2D, 0x4B,
372 0x08, 0xEE, 0xD4, 0xEB, 0x0F, 0xB3, 0x50, 0x4C, 0x6C, 0x03, 0x02, 0x76,
373 0xE7, 0x10, 0x80, 0x0C, 0x5C, 0xCB, 0xBA, 0xA8, 0x92, 0x26, 0x14, 0xC5,
374 0xBE, 0xEC, 0xA5, 0x65, 0xA5, 0xFD, 0xF1, 0xD2, 0x87, 0xA2, 0xBC, 0x04,
375 0x9B, 0xE6, 0x77, 0x80, 0x60, 0xE9, 0x1A, 0x92, 0xA7, 0x57, 0xE3, 0x04,
376 0x8F, 0x68, 0xB0, 0x76, 0xF7, 0xD3, 0x6C, 0xC8, 0xF2, 0x9B, 0xA5, 0xDF,
377 0x81, 0xDC, 0x2C, 0xA7, 0x25, 0xEC, 0xE6, 0x62, 0x70, 0xCC, 0x9A, 0x50,
378 0x35, 0xD8, 0xCE, 0xCE, 0xEF, 0x9E, 0xA0, 0x27, 0x4A, 0x63, 0xAB, 0x1E,
379 0x58, 0xFA, 0xFD, 0x49, 0x88, 0xD0, 0xF6, 0x5D, 0x14, 0x67, 0x57, 0xDA,
380 0x07, 0x1D, 0xF0, 0x45, 0xCF, 0xE1, 0x6B, 0x9B
381 };
382
383 static unsigned char dh1024_g[] = { 0x02 };
384
385
386 if (file->len == 0) {
387
388 dh = DH_new();
389 if (dh == NULL) {
390 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "DH_new() failed");
391 return NGX_ERROR;
392 }
393
394 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
395 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
396
397 if (dh->p == NULL || dh->g == NULL) {
398 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "BN_bin2bn() failed");
399 DH_free(dh);
400 return NGX_ERROR;
401 }
402
403 SSL_CTX_set_tmp_dh(ssl->ctx, dh);
404
405 DH_free(dh);
406
407 return NGX_OK;
408 }
409
410 if (ngx_conf_full_name(cf->cycle, file, 1) == NGX_ERROR) {
411 return NGX_ERROR;
412 }
413
414 bio = BIO_new_file((char *) file->data, "r");
415 if (bio == NULL) {
416 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
417 "BIO_new_file(\"%s\") failed", file->data);
418 return NGX_ERROR;
419 }
420
421 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
422 if (dh == NULL) {
423 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
424 "PEM_read_bio_DHparams(\"%s\") failed", file->data);
425 BIO_free(bio);
426 return NGX_ERROR;
427 }
428
429 SSL_CTX_set_tmp_dh(ssl->ctx, dh);
430
431 DH_free(dh);
432 BIO_free(bio);
433
434 return NGX_OK;
351 } 435 }
352 436
353 437
354 ngx_int_t 438 ngx_int_t
355 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) 439 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
1793 return NGX_OK; 1877 return NGX_OK;
1794 } 1878 }
1795 1879
1796 1880
1797 ngx_int_t 1881 ngx_int_t
1882 ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
1883 {
1884 size_t len;
1885 BIO *bio;
1886 X509 *cert;
1887
1888 s->len = 0;
1889
1890 cert = SSL_get_peer_certificate(c->ssl->connection);
1891 if (cert == NULL) {
1892 return NGX_OK;
1893 }
1894
1895 bio = BIO_new(BIO_s_mem());
1896 if (bio == NULL) {
1897 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
1898 X509_free(cert);
1899 return NGX_ERROR;
1900 }
1901
1902 if (PEM_write_bio_X509(bio, cert) == 0) {
1903 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed");
1904 goto failed;
1905 }
1906
1907 len = BIO_pending(bio);
1908 s->len = len;
1909
1910 s->data = ngx_palloc(pool, len);
1911 if (s->data == NULL) {
1912 goto failed;
1913 }
1914
1915 BIO_read(bio, s->data, len);
1916
1917 BIO_free(bio);
1918 X509_free(cert);
1919
1920 return NGX_OK;
1921
1922 failed:
1923
1924 BIO_free(bio);
1925 X509_free(cert);
1926
1927 return NGX_ERROR;
1928 }
1929
1930
1931 ngx_int_t
1798 ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) 1932 ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
1799 { 1933 {
1800 char *p; 1934 char *p;
1801 size_t len; 1935 size_t len;
1802 X509 *cert; 1936 X509 *cert;