Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.c @ 8839:fac88e160653 quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merged with the default branch.
author Sergey Kandaurov <pluknet@nginx.com>
date Wed, 01 Sep 2021 10:57:25 +0300
parents 6674a50cbb6c dda421871bc2
children 61d0fa67b55e
comparison
equal deleted inserted replaced
8838:d6e191a583cc 8839:fac88e160653
297 297
298 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 298 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
299 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); 299 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
300 #endif 300 #endif
301 301
302 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
303 /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
304 SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
305 #endif
306
307 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG 302 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
308 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); 303 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
309 #endif 304 #endif
310 305
311 #ifdef SSL_OP_TLS_D5_BUG 306 #ifdef SSL_OP_TLS_D5_BUG
374 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY); 369 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY);
375 #endif 370 #endif
376 371
377 #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION 372 #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION
378 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION); 373 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
374 #endif
375
376 #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
377 SSL_CTX_set_options(ssl->ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
379 #endif 378 #endif
380 379
381 #ifdef SSL_MODE_RELEASE_BUFFERS 380 #ifdef SSL_MODE_RELEASE_BUFFERS
382 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); 381 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
383 #endif 382 #endif
856 } 855 }
857 856
858 if (prefer_server_ciphers) { 857 if (prefer_server_ciphers) {
859 SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 858 SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
860 } 859 }
861
862 #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
863 /* a temporary 512-bit RSA key is required for export versions of MSIE */
864 SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback);
865 #endif
866 860
867 return NGX_OK; 861 return NGX_OK;
868 } 862 }
869 863
870 864
1114 } 1108 }
1115 } 1109 }
1116 } 1110 }
1117 1111
1118 1112
1119 RSA *
1120 ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
1121 int key_length)
1122 {
1123 static RSA *key;
1124
1125 if (key_length != 512) {
1126 return NULL;
1127 }
1128
1129 #if (OPENSSL_VERSION_NUMBER < 0x10100003L && !defined OPENSSL_NO_DEPRECATED)
1130
1131 if (key == NULL) {
1132 key = RSA_generate_key(512, RSA_F4, NULL, NULL);
1133 }
1134
1135 #endif
1136
1137 return key;
1138 }
1139
1140
1141 ngx_array_t * 1113 ngx_array_t *
1142 ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file) 1114 ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file)
1143 { 1115 {
1144 u_char *p, *last, *end; 1116 u_char *p, *last, *end;
1145 size_t len; 1117 size_t len;
1348 1320
1349 1321
1350 ngx_int_t 1322 ngx_int_t
1351 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) 1323 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
1352 { 1324 {
1353 DH *dh;
1354 BIO *bio; 1325 BIO *bio;
1355 1326
1356 if (file->len == 0) { 1327 if (file->len == 0) {
1357 return NGX_OK; 1328 return NGX_OK;
1358 } 1329 }
1365 if (bio == NULL) { 1336 if (bio == NULL) {
1366 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, 1337 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
1367 "BIO_new_file(\"%s\") failed", file->data); 1338 "BIO_new_file(\"%s\") failed", file->data);
1368 return NGX_ERROR; 1339 return NGX_ERROR;
1369 } 1340 }
1341
1342 #ifdef SSL_CTX_set_tmp_dh
1343 {
1344 DH *dh;
1370 1345
1371 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); 1346 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
1372 if (dh == NULL) { 1347 if (dh == NULL) {
1373 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, 1348 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
1374 "PEM_read_bio_DHparams(\"%s\") failed", file->data); 1349 "PEM_read_bio_DHparams(\"%s\") failed", file->data);
1375 BIO_free(bio); 1350 BIO_free(bio);
1376 return NGX_ERROR; 1351 return NGX_ERROR;
1377 } 1352 }
1378 1353
1379 SSL_CTX_set_tmp_dh(ssl->ctx, dh); 1354 if (SSL_CTX_set_tmp_dh(ssl->ctx, dh) != 1) {
1355 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
1356 "SSL_CTX_set_tmp_dh(\"%s\") failed", file->data);
1357 DH_free(dh);
1358 BIO_free(bio);
1359 return NGX_ERROR;
1360 }
1380 1361
1381 DH_free(dh); 1362 DH_free(dh);
1363 }
1364 #else
1365 {
1366 EVP_PKEY *dh;
1367
1368 /*
1369 * PEM_read_bio_DHparams() and SSL_CTX_set_tmp_dh()
1370 * are deprecated in OpenSSL 3.0
1371 */
1372
1373 dh = PEM_read_bio_Parameters(bio, NULL);
1374 if (dh == NULL) {
1375 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
1376 "PEM_read_bio_Parameters(\"%s\") failed", file->data);
1377 BIO_free(bio);
1378 return NGX_ERROR;
1379 }
1380
1381 if (SSL_CTX_set0_tmp_dh_pkey(ssl->ctx, dh) != 1) {
1382 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
1383 "SSL_CTX_set0_tmp_dh_pkey(\%s\") failed", file->data);
1384 BIO_free(bio);
1385 return NGX_ERROR;
1386 }
1387 }
1388 #endif
1389
1382 BIO_free(bio); 1390 BIO_free(bio);
1383 1391
1384 return NGX_OK; 1392 return NGX_OK;
1385 } 1393 }
1386 1394
1738 c->recv = ngx_ssl_recv; 1746 c->recv = ngx_ssl_recv;
1739 c->send = ngx_ssl_write; 1747 c->send = ngx_ssl_write;
1740 c->recv_chain = ngx_ssl_recv_chain; 1748 c->recv_chain = ngx_ssl_recv_chain;
1741 c->send_chain = ngx_ssl_send_chain; 1749 c->send_chain = ngx_ssl_send_chain;
1742 1750
1751 c->read->ready = 1;
1752 c->write->ready = 1;
1753
1743 #ifndef SSL_OP_NO_RENEGOTIATION 1754 #ifndef SSL_OP_NO_RENEGOTIATION
1744 #if OPENSSL_VERSION_NUMBER < 0x10100000L 1755 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1745 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 1756 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
1746 1757
1747 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ 1758 /* initial handshake done, disable renegotiation (CVE-2009-3555) */
1882 1893
1883 c->recv = ngx_ssl_recv; 1894 c->recv = ngx_ssl_recv;
1884 c->send = ngx_ssl_write; 1895 c->send = ngx_ssl_write;
1885 c->recv_chain = ngx_ssl_recv_chain; 1896 c->recv_chain = ngx_ssl_recv_chain;
1886 c->send_chain = ngx_ssl_send_chain; 1897 c->send_chain = ngx_ssl_send_chain;
1898
1899 c->read->ready = 1;
1900 c->write->ready = 1;
1887 1901
1888 rc = ngx_ssl_ocsp_validate(c); 1902 rc = ngx_ssl_ocsp_validate(c);
1889 1903
1890 if (rc == NGX_ERROR) { 1904 if (rc == NGX_ERROR) {
1891 return NGX_ERROR; 1905 return NGX_ERROR;
3239 if (ERR_peek_error()) { 3253 if (ERR_peek_error()) {
3240 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); 3254 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p);
3241 3255
3242 for ( ;; ) { 3256 for ( ;; ) {
3243 3257
3244 n = ERR_peek_error_line_data(NULL, NULL, &data, &flags); 3258 n = ERR_peek_error_data(&data, &flags);
3245 3259
3246 if (n == 0) { 3260 if (n == 0) {
3247 break; 3261 break;
3248 } 3262 }
3249 3263