Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.c @ 9199:875cd36b8617

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: disabled renegotiation checks with LibreSSL. Similar to 7356:e3ba4026c02d, as long as SSL_OP_NO_CLIENT_RENEGOTIATION is defined, it is the library responsibility to prevent renegotiation. Additionally, this allows to raise LibreSSL version used to redefine OPENSSL_VERSION_NUMBER to 0x1010000fL, such that this won't result in attempts to dereference SSL objects made opaque in LibreSSL 3.4.0. Patch by Maxim Dounin.
author Sergey Kandaurov <pluknet@nginx.com>
date Mon, 25 Dec 2023 21:15:47 +0400
parents 0ba26c99b3a1
children 43fc897bbab8
comparison
equal deleted inserted replaced
9198:514c518b9d6c 9199:875cd36b8617
1103 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) 1103 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
1104 { 1104 {
1105 BIO *rbio, *wbio; 1105 BIO *rbio, *wbio;
1106 ngx_connection_t *c; 1106 ngx_connection_t *c;
1107 1107
1108 #ifndef SSL_OP_NO_RENEGOTIATION 1108 #if (!defined SSL_OP_NO_RENEGOTIATION \
1109 && !defined SSL_OP_NO_CLIENT_RENEGOTIATION)
1109 1110
1110 if ((where & SSL_CB_HANDSHAKE_START) 1111 if ((where & SSL_CB_HANDSHAKE_START)
1111 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn)) 1112 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn))
1112 { 1113 {
1113 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); 1114 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
1836 c->send_chain = ngx_ssl_send_chain; 1837 c->send_chain = ngx_ssl_send_chain;
1837 1838
1838 c->read->ready = 1; 1839 c->read->ready = 1;
1839 c->write->ready = 1; 1840 c->write->ready = 1;
1840 1841
1841 #ifndef SSL_OP_NO_RENEGOTIATION 1842 #if (!defined SSL_OP_NO_RENEGOTIATION \
1842 #if OPENSSL_VERSION_NUMBER < 0x10100000L 1843 && !defined SSL_OP_NO_CLIENT_RENEGOTIATION \
1843 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 1844 && defined SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS \
1845 && OPENSSL_VERSION_NUMBER < 0x10100000L)
1844 1846
1845 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ 1847 /* initial handshake done, disable renegotiation (CVE-2009-3555) */
1846 if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) { 1848 if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) {
1847 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; 1849 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
1848 } 1850 }
1849 1851
1850 #endif
1851 #endif
1852 #endif 1852 #endif
1853 1853
1854 #if (defined BIO_get_ktls_send && !NGX_WIN32) 1854 #if (defined BIO_get_ktls_send && !NGX_WIN32)
1855 1855
1856 if (BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)) == 1) { 1856 if (BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)) == 1) {
2481 ngx_ssl_handle_recv(ngx_connection_t *c, int n) 2481 ngx_ssl_handle_recv(ngx_connection_t *c, int n)
2482 { 2482 {
2483 int sslerr; 2483 int sslerr;
2484 ngx_err_t err; 2484 ngx_err_t err;
2485 2485
2486 #ifndef SSL_OP_NO_RENEGOTIATION 2486 #if (!defined SSL_OP_NO_RENEGOTIATION \
2487 && !defined SSL_OP_NO_CLIENT_RENEGOTIATION)
2487 2488
2488 if (c->ssl->renegotiation) { 2489 if (c->ssl->renegotiation) {
2489 /* 2490 /*
2490 * disable renegotiation (CVE-2009-3555): 2491 * disable renegotiation (CVE-2009-3555):
2491 * OpenSSL (at least up to 0.9.8l) does not handle disabled 2492 * OpenSSL (at least up to 0.9.8l) does not handle disabled