Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 7461:a68799465b19
SSL: loading of connection-specific certificates.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 25 Feb 2019 16:41:44 +0300 |
| parents | 77436d9951a1 |
| children | 180df83473a4 |
comparison
equal
deleted
inserted
replaced
| 7460:77436d9951a1 | 7461:a68799465b19 |
|---|---|
| 526 | 526 |
| 527 return NGX_OK; | 527 return NGX_OK; |
| 528 } | 528 } |
| 529 | 529 |
| 530 | 530 |
| 531 ngx_int_t | |
| 532 ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, | |
| 533 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords) | |
| 534 { | |
| 535 char *err; | |
| 536 X509 *x509; | |
| 537 EVP_PKEY *pkey; | |
| 538 STACK_OF(X509) *chain; | |
| 539 | |
| 540 x509 = ngx_ssl_load_certificate(pool, &err, cert, &chain); | |
| 541 if (x509 == NULL) { | |
| 542 if (err != NULL) { | |
| 543 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, | |
| 544 "cannot load certificate \"%s\": %s", | |
| 545 cert->data, err); | |
| 546 } | |
| 547 | |
| 548 return NGX_ERROR; | |
| 549 } | |
| 550 | |
| 551 if (SSL_use_certificate(c->ssl->connection, x509) == 0) { | |
| 552 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, | |
| 553 "SSL_use_certificate(\"%s\") failed", cert->data); | |
| 554 X509_free(x509); | |
| 555 sk_X509_pop_free(chain, X509_free); | |
| 556 return NGX_ERROR; | |
| 557 } | |
| 558 | |
| 559 X509_free(x509); | |
| 560 | |
| 561 #ifdef SSL_set0_chain | |
| 562 | |
| 563 /* | |
| 564 * SSL_set0_chain() is only available in OpenSSL 1.0.2+, | |
| 565 * but this function is only called via certificate callback, | |
| 566 * which is only available in OpenSSL 1.0.2+ as well | |
| 567 */ | |
| 568 | |
| 569 if (SSL_set0_chain(c->ssl->connection, chain) == 0) { | |
| 570 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, | |
| 571 "SSL_set0_chain(\"%s\") failed", cert->data); | |
| 572 sk_X509_pop_free(chain, X509_free); | |
| 573 return NGX_ERROR; | |
| 574 } | |
| 575 | |
| 576 #endif | |
| 577 | |
| 578 pkey = ngx_ssl_load_certificate_key(pool, &err, key, passwords); | |
| 579 if (pkey == NULL) { | |
| 580 if (err != NULL) { | |
| 581 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, | |
| 582 "cannot load certificate key \"%s\": %s", | |
| 583 key->data, err); | |
| 584 } | |
| 585 | |
| 586 return NGX_ERROR; | |
| 587 } | |
| 588 | |
| 589 if (SSL_use_PrivateKey(c->ssl->connection, pkey) == 0) { | |
| 590 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, | |
| 591 "SSL_use_PrivateKey(\"%s\") failed", key->data); | |
| 592 EVP_PKEY_free(pkey); | |
| 593 return NGX_ERROR; | |
| 594 } | |
| 595 | |
| 596 EVP_PKEY_free(pkey); | |
| 597 | |
| 598 return NGX_OK; | |
| 599 } | |
| 600 | |
| 601 | |
| 531 static X509 * | 602 static X509 * |
| 532 ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, | 603 ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, |
| 533 STACK_OF(X509) **chain) | 604 STACK_OF(X509) **chain) |
| 534 { | 605 { |
| 535 BIO *bio; | 606 BIO *bio; |
| 2744 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING | 2815 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING |
| 2745 || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */ | 2816 || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */ |
| 2746 #endif | 2817 #endif |
| 2747 #ifdef SSL_R_INAPPROPRIATE_FALLBACK | 2818 #ifdef SSL_R_INAPPROPRIATE_FALLBACK |
| 2748 || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */ | 2819 || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */ |
| 2820 #endif | |
| 2821 #ifdef SSL_R_CERT_CB_ERROR | |
| 2822 || n == SSL_R_CERT_CB_ERROR /* 377 */ | |
| 2749 #endif | 2823 #endif |
| 2750 #ifdef SSL_R_VERSION_TOO_LOW | 2824 #ifdef SSL_R_VERSION_TOO_LOW |
| 2751 || n == SSL_R_VERSION_TOO_LOW /* 396 */ | 2825 || n == SSL_R_VERSION_TOO_LOW /* 396 */ |
| 2752 #endif | 2826 #endif |
| 2753 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ | 2827 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ |