Mercurial > hg > nginx-vendor-current

diff src/event/ngx_event_openssl.c @ 380:bc21d9cd9c54 NGINX_0_7_2

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx 0.7.2 *) Feature: now nginx supports EDH key exchange ciphers. *) Feature: the "ssl_dhparam" directive. *) Feature: the $ssl_client_cert variable. Thanks to Manlio Perillo. *) Bugfix: after changing URI via a "rewrite" directive nginx did not search a new location; bug appeared in 0.7.1. Thanks to Maxim Dounin. *) Bugfix: nginx could not be built without PCRE library; bug appeared in 0.7.1. *) Bugfix: when a request to a directory was redirected with the slash added, nginx dropped a query string from the original request.
author Igor Sysoev <http://sysoev.ru>
date Mon, 16 Jun 2008 00:00:00 +0400
parents 820f6378fc00
children 984bb0b1399b
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -182,6 +182,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
     SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
 #endif
 
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
 
     if (ngx_ssl_protocols[protocols >> 1] != 0) {
         SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
@@ -352,6 +353,89 @@ ngx_ssl_generate_rsa512_key(ngx_ssl_t *s
 
 
 ngx_int_t
+ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
+{
+    DH   *dh;
+    BIO  *bio;
+
+    /*
+     * -----BEGIN DH PARAMETERS-----
+     * MIGHAoGBALu8LcrYRnSQfEP89YDpz9vZWKP1aLQtSwju1OsPs1BMbAMCducQgAxc
+     * y7qokiYUxb7spWWl/fHSh6K8BJvmd4Bg6RqSp1fjBI9osHb302zI8pul34HcLKcl
+     * 7OZicMyaUDXYzs7vnqAnSmOrHlj6/UmI0PZdFGdX2gcd8EXP4WubAgEC
+     * -----END DH PARAMETERS-----
+     */
+
+    static unsigned char dh1024_p[] = {
+        0xBB, 0xBC, 0x2D, 0xCA, 0xD8, 0x46, 0x74, 0x90, 0x7C, 0x43, 0xFC, 0xF5,
+        0x80, 0xE9, 0xCF, 0xDB, 0xD9, 0x58, 0xA3, 0xF5, 0x68, 0xB4, 0x2D, 0x4B,
+        0x08, 0xEE, 0xD4, 0xEB, 0x0F, 0xB3, 0x50, 0x4C, 0x6C, 0x03, 0x02, 0x76,
+        0xE7, 0x10, 0x80, 0x0C, 0x5C, 0xCB, 0xBA, 0xA8, 0x92, 0x26, 0x14, 0xC5,
+        0xBE, 0xEC, 0xA5, 0x65, 0xA5, 0xFD, 0xF1, 0xD2, 0x87, 0xA2, 0xBC, 0x04,
+        0x9B, 0xE6, 0x77, 0x80, 0x60, 0xE9, 0x1A, 0x92, 0xA7, 0x57, 0xE3, 0x04,
+        0x8F, 0x68, 0xB0, 0x76, 0xF7, 0xD3, 0x6C, 0xC8, 0xF2, 0x9B, 0xA5, 0xDF,
+        0x81, 0xDC, 0x2C, 0xA7, 0x25, 0xEC, 0xE6, 0x62, 0x70, 0xCC, 0x9A, 0x50,
+        0x35, 0xD8, 0xCE, 0xCE, 0xEF, 0x9E, 0xA0, 0x27, 0x4A, 0x63, 0xAB, 0x1E,
+        0x58, 0xFA, 0xFD, 0x49, 0x88, 0xD0, 0xF6, 0x5D, 0x14, 0x67, 0x57, 0xDA,
+        0x07, 0x1D, 0xF0, 0x45, 0xCF, 0xE1, 0x6B, 0x9B
+    };
+
+    static unsigned char dh1024_g[] = { 0x02 };
+
+
+    if (file->len == 0) {
+
+        dh = DH_new();
+        if (dh == NULL) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "DH_new() failed");
+            return NGX_ERROR;
+        }
+
+        dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+        dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+
+        if (dh->p == NULL || dh->g == NULL) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "BN_bin2bn() failed");
+            DH_free(dh);
+            return NGX_ERROR;
+        }
+
+        SSL_CTX_set_tmp_dh(ssl->ctx, dh);
+
+        DH_free(dh);
+
+        return NGX_OK;
+    }
+
+    if (ngx_conf_full_name(cf->cycle, file, 1) == NGX_ERROR) {
+        return NGX_ERROR;
+    }
+
+    bio = BIO_new_file((char *) file->data, "r");
+    if (bio == NULL) {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "BIO_new_file(\"%s\") failed", file->data);
+        return NGX_ERROR;
+    }
+
+    dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+    if (dh == NULL) {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "PEM_read_bio_DHparams(\"%s\") failed", file->data);
+        BIO_free(bio);
+        return NGX_ERROR;
+    }
+
+    SSL_CTX_set_tmp_dh(ssl->ctx, dh);
+
+    DH_free(dh);
+    BIO_free(bio);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
 {
     ngx_ssl_connection_t  *sc;
@@ -1795,6 +1879,56 @@ ngx_ssl_get_cipher_name(ngx_connection_t
 
 
 ngx_int_t
+ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    size_t   len;
+    BIO     *bio;
+    X509    *cert;
+
+    s->len = 0;
+
+    cert = SSL_get_peer_certificate(c->ssl->connection);
+    if (cert == NULL) {
+        return NGX_OK;
+    }
+
+    bio = BIO_new(BIO_s_mem());
+    if (bio == NULL) {
+        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
+        X509_free(cert);
+        return NGX_ERROR;
+    }
+
+    if (PEM_write_bio_X509(bio, cert) == 0) {
+        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed");
+        goto failed;
+    }
+
+    len = BIO_pending(bio);
+    s->len = len;
+
+    s->data = ngx_palloc(pool, len);
+    if (s->data == NULL) {
+        goto failed;
+    }
+
+    BIO_read(bio, s->data, len);
+
+    BIO_free(bio);
+    X509_free(cert);
+
+    return NGX_OK;
+
+failed:
+
+    BIO_free(bio);
+    X509_free(cert);
+
+    return NGX_ERROR;
+}
+
+
+ngx_int_t
 ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
     char       *p;