Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 3300:5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
author | Igor Sysoev <igor@sysoev.ru> |
---|---|
date | Wed, 11 Nov 2009 10:59:07 +0000 |
parents | 52b1624b93c2 |
children | fc735aa50b8b |
comparison
equal
deleted
inserted
replaced
3299:0b6277a58a2d | 3300:5a08dfb8d763 |
---|---|
13 ngx_uint_t engine; /* unsigned engine:1; */ | 13 ngx_uint_t engine; /* unsigned engine:1; */ |
14 } ngx_openssl_conf_t; | 14 } ngx_openssl_conf_t; |
15 | 15 |
16 | 16 |
17 static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); | 17 static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); |
18 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, | |
19 int ret); | |
18 static void ngx_ssl_handshake_handler(ngx_event_t *ev); | 20 static void ngx_ssl_handshake_handler(ngx_event_t *ev); |
19 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); | 21 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); |
20 static void ngx_ssl_write_handler(ngx_event_t *wev); | 22 static void ngx_ssl_write_handler(ngx_event_t *wev); |
21 static void ngx_ssl_read_handler(ngx_event_t *rev); | 23 static void ngx_ssl_read_handler(ngx_event_t *rev); |
22 static void ngx_ssl_shutdown_handler(ngx_event_t *ev); | 24 static void ngx_ssl_shutdown_handler(ngx_event_t *ev); |
173 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); | 175 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); |
174 } | 176 } |
175 | 177 |
176 SSL_CTX_set_read_ahead(ssl->ctx, 1); | 178 SSL_CTX_set_read_ahead(ssl->ctx, 1); |
177 | 179 |
180 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); | |
181 | |
178 return NGX_OK; | 182 return NGX_OK; |
179 } | 183 } |
180 | 184 |
181 | 185 |
182 ngx_int_t | 186 ngx_int_t |
345 OPENSSL_free(issuer); | 349 OPENSSL_free(issuer); |
346 } | 350 } |
347 #endif | 351 #endif |
348 | 352 |
349 return 1; | 353 return 1; |
354 } | |
355 | |
356 | |
357 static void | |
358 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) | |
359 { | |
360 ngx_connection_t *c; | |
361 | |
362 if (where & SSL_CB_HANDSHAKE_START) { | |
363 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); | |
364 | |
365 if (c->ssl->handshaked) { | |
366 c->ssl->renegotiation = 1; | |
367 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); | |
368 } | |
369 } | |
350 } | 370 } |
351 | 371 |
352 | 372 |
353 ngx_int_t | 373 ngx_int_t |
354 ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl) | 374 ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl) |
585 c->recv = ngx_ssl_recv; | 605 c->recv = ngx_ssl_recv; |
586 c->send = ngx_ssl_write; | 606 c->send = ngx_ssl_write; |
587 c->recv_chain = ngx_ssl_recv_chain; | 607 c->recv_chain = ngx_ssl_recv_chain; |
588 c->send_chain = ngx_ssl_send_chain; | 608 c->send_chain = ngx_ssl_send_chain; |
589 | 609 |
610 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ | |
611 if (c->ssl->connection->s3) { | |
612 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; | |
613 } | |
614 | |
590 return NGX_OK; | 615 return NGX_OK; |
591 } | 616 } |
592 | 617 |
593 sslerr = SSL_get_error(c->ssl->connection, n); | 618 sslerr = SSL_get_error(c->ssl->connection, n); |
594 | 619 |
786 static ngx_int_t | 811 static ngx_int_t |
787 ngx_ssl_handle_recv(ngx_connection_t *c, int n) | 812 ngx_ssl_handle_recv(ngx_connection_t *c, int n) |
788 { | 813 { |
789 int sslerr; | 814 int sslerr; |
790 ngx_err_t err; | 815 ngx_err_t err; |
816 | |
817 if (c->ssl->renegotiation) { | |
818 /* | |
819 * disable renegotiation (CVE-2009-3555): | |
820 * OpenSSL (at least up to 0.9.8l) does not handle disabled | |
821 * renegotiation gracefully, so drop connection here | |
822 */ | |
823 | |
824 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled"); | |
825 | |
826 c->ssl->no_wait_shutdown = 1; | |
827 c->ssl->no_send_shutdown = 1; | |
828 | |
829 return NGX_ERROR; | |
830 } | |
791 | 831 |
792 if (n > 0) { | 832 if (n > 0) { |
793 | 833 |
794 if (c->ssl->saved_write_handler) { | 834 if (c->ssl->saved_write_handler) { |
795 | 835 |