Mercurial > hg > nginx-quic
annotate src/mail/ngx_mail_ssl_module.c @ 6272:b6a665bf858a
HTTP/2: fix indirect reprioritization.
Previously, streams that were indirectly reprioritized (either because of
a new exclusive dependency on their parent or because of removal of their
parent from the dependency tree), didn't have their pointer to the parent
node updated.
This broke detection of circular dependencies and, as a result, nginx
worker would crash due to stack overflow whenever such dependency was
introduced.
Found with afl-fuzz.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
author | Piotr Sikora <piotrsikora@google.com> |
---|---|
date | Thu, 01 Oct 2015 20:25:55 -0700 |
parents | b2899e7d0ef8 |
children | 2cd019520210 |
rev | line source |
---|---|
539 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
539 | 5 */ |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
1136 | 10 #include <ngx_mail.h> |
539 | 11 |
12 | |
3960 | 13 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
14 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" | |
539 | 15 |
16 | |
1136 | 17 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf); |
18 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); | |
2224 | 19 |
20 static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | |
21 void *conf); | |
22 static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, | |
23 void *conf); | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
24 static char *ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
25 void *conf); |
1136 | 26 static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
976 | 27 void *conf); |
539 | 28 |
29 | |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
30 static ngx_conf_enum_t ngx_mail_starttls_state[] = { |
1136 | 31 { ngx_string("off"), NGX_MAIL_STARTTLS_OFF }, |
32 { ngx_string("on"), NGX_MAIL_STARTTLS_ON }, | |
33 { ngx_string("only"), NGX_MAIL_STARTTLS_ONLY }, | |
583 | 34 { ngx_null_string, 0 } |
35 }; | |
36 | |
37 | |
38 | |
1136 | 39 static ngx_conf_bitmask_t ngx_mail_ssl_protocols[] = { |
547 | 40 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
41 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
42 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
43 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
44 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
547 | 45 { ngx_null_string, 0 } |
46 }; | |
47 | |
48 | |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
49 static ngx_conf_enum_t ngx_mail_ssl_verify[] = { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
50 { ngx_string("off"), 0 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
51 { ngx_string("on"), 1 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
52 { ngx_string("optional"), 2 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
53 { ngx_string("optional_no_ca"), 3 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
54 { ngx_null_string, 0 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
55 }; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
56 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
57 |
1136 | 58 static ngx_command_t ngx_mail_ssl_commands[] = { |
539 | 59 |
60 { ngx_string("ssl"), | |
1136 | 61 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
2224 | 62 ngx_mail_ssl_enable, |
1136 | 63 NGX_MAIL_SRV_CONF_OFFSET, |
64 offsetof(ngx_mail_ssl_conf_t, enable), | |
539 | 65 NULL }, |
66 | |
583 | 67 { ngx_string("starttls"), |
1136 | 68 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
2224 | 69 ngx_mail_ssl_starttls, |
1136 | 70 NGX_MAIL_SRV_CONF_OFFSET, |
71 offsetof(ngx_mail_ssl_conf_t, starttls), | |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
72 ngx_mail_starttls_state }, |
583 | 73 |
539 | 74 { ngx_string("ssl_certificate"), |
1136 | 75 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
539 | 76 ngx_conf_set_str_slot, |
1136 | 77 NGX_MAIL_SRV_CONF_OFFSET, |
78 offsetof(ngx_mail_ssl_conf_t, certificate), | |
539 | 79 NULL }, |
80 | |
81 { ngx_string("ssl_certificate_key"), | |
1136 | 82 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
539 | 83 ngx_conf_set_str_slot, |
1136 | 84 NGX_MAIL_SRV_CONF_OFFSET, |
85 offsetof(ngx_mail_ssl_conf_t, certificate_key), | |
539 | 86 NULL }, |
87 | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
88 { ngx_string("ssl_password_file"), |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
89 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
90 ngx_mail_ssl_password_file, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
91 NGX_MAIL_SRV_CONF_OFFSET, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
92 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
93 NULL }, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
94 |
2044 | 95 { ngx_string("ssl_dhparam"), |
96 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
97 ngx_conf_set_str_slot, | |
98 NGX_MAIL_SRV_CONF_OFFSET, | |
99 offsetof(ngx_mail_ssl_conf_t, dhparam), | |
100 NULL }, | |
101 | |
3960 | 102 { ngx_string("ssl_ecdh_curve"), |
103 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
104 ngx_conf_set_str_slot, | |
105 NGX_MAIL_SRV_CONF_OFFSET, | |
106 offsetof(ngx_mail_ssl_conf_t, ecdh_curve), | |
107 NULL }, | |
108 | |
547 | 109 { ngx_string("ssl_protocols"), |
1136 | 110 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE, |
547 | 111 ngx_conf_set_bitmask_slot, |
1136 | 112 NGX_MAIL_SRV_CONF_OFFSET, |
113 offsetof(ngx_mail_ssl_conf_t, protocols), | |
114 &ngx_mail_ssl_protocols }, | |
547 | 115 |
539 | 116 { ngx_string("ssl_ciphers"), |
1136 | 117 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
539 | 118 ngx_conf_set_str_slot, |
1136 | 119 NGX_MAIL_SRV_CONF_OFFSET, |
120 offsetof(ngx_mail_ssl_conf_t, ciphers), | |
539 | 121 NULL }, |
122 | |
547 | 123 { ngx_string("ssl_prefer_server_ciphers"), |
1136 | 124 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
547 | 125 ngx_conf_set_flag_slot, |
1136 | 126 NGX_MAIL_SRV_CONF_OFFSET, |
127 offsetof(ngx_mail_ssl_conf_t, prefer_server_ciphers), | |
547 | 128 NULL }, |
563 | 129 |
976 | 130 { ngx_string("ssl_session_cache"), |
1136 | 131 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12, |
132 ngx_mail_ssl_session_cache, | |
133 NGX_MAIL_SRV_CONF_OFFSET, | |
976 | 134 0, |
135 NULL }, | |
136 | |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
137 { ngx_string("ssl_session_tickets"), |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
138 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
139 ngx_conf_set_flag_slot, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
140 NGX_MAIL_SRV_CONF_OFFSET, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
141 offsetof(ngx_mail_ssl_conf_t, session_tickets), |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
142 NULL }, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
143 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
144 { ngx_string("ssl_session_ticket_key"), |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
145 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
146 ngx_conf_set_str_array_slot, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
147 NGX_MAIL_SRV_CONF_OFFSET, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
148 offsetof(ngx_mail_ssl_conf_t, session_ticket_keys), |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
149 NULL }, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
150 |
573 | 151 { ngx_string("ssl_session_timeout"), |
1136 | 152 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
573 | 153 ngx_conf_set_sec_slot, |
1136 | 154 NGX_MAIL_SRV_CONF_OFFSET, |
155 offsetof(ngx_mail_ssl_conf_t, session_timeout), | |
573 | 156 NULL }, |
547 | 157 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
158 { ngx_string("ssl_verify_client"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
159 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
160 ngx_conf_set_enum_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
161 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
162 offsetof(ngx_mail_ssl_conf_t, verify), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
163 &ngx_mail_ssl_verify }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
164 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
165 { ngx_string("ssl_verify_depth"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
166 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
167 ngx_conf_set_num_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
168 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
169 offsetof(ngx_mail_ssl_conf_t, verify_depth), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
170 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
171 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
172 { ngx_string("ssl_client_certificate"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
173 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
174 ngx_conf_set_str_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
175 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
176 offsetof(ngx_mail_ssl_conf_t, client_certificate), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
177 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
178 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
179 { ngx_string("ssl_trusted_certificate"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
180 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
181 ngx_conf_set_str_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
182 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
183 offsetof(ngx_mail_ssl_conf_t, trusted_certificate), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
184 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
185 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
186 { ngx_string("ssl_crl"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
187 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
188 ngx_conf_set_str_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
189 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
190 offsetof(ngx_mail_ssl_conf_t, crl), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
191 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
192 |
539 | 193 ngx_null_command |
194 }; | |
195 | |
196 | |
1136 | 197 static ngx_mail_module_t ngx_mail_ssl_module_ctx = { |
1487
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
198 NULL, /* protocol */ |
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
199 |
539 | 200 NULL, /* create main configuration */ |
201 NULL, /* init main configuration */ | |
202 | |
1136 | 203 ngx_mail_ssl_create_conf, /* create server configuration */ |
204 ngx_mail_ssl_merge_conf /* merge server configuration */ | |
539 | 205 }; |
206 | |
207 | |
1136 | 208 ngx_module_t ngx_mail_ssl_module = { |
539 | 209 NGX_MODULE_V1, |
1136 | 210 &ngx_mail_ssl_module_ctx, /* module context */ |
211 ngx_mail_ssl_commands, /* module directives */ | |
212 NGX_MAIL_MODULE, /* module type */ | |
541 | 213 NULL, /* init master */ |
539 | 214 NULL, /* init module */ |
541 | 215 NULL, /* init process */ |
216 NULL, /* init thread */ | |
217 NULL, /* exit thread */ | |
218 NULL, /* exit process */ | |
219 NULL, /* exit master */ | |
220 NGX_MODULE_V1_PADDING | |
539 | 221 }; |
222 | |
223 | |
1136 | 224 static ngx_str_t ngx_mail_ssl_sess_id_ctx = ngx_string("MAIL"); |
543 | 225 |
226 | |
539 | 227 static void * |
1136 | 228 ngx_mail_ssl_create_conf(ngx_conf_t *cf) |
577 | 229 { |
1136 | 230 ngx_mail_ssl_conf_t *scf; |
577 | 231 |
1136 | 232 scf = ngx_pcalloc(cf->pool, sizeof(ngx_mail_ssl_conf_t)); |
539 | 233 if (scf == NULL) { |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2759
diff
changeset
|
234 return NULL; |
539 | 235 } |
236 | |
237 /* | |
577 | 238 * set by ngx_pcalloc(): |
539 | 239 * |
547 | 240 * scf->protocols = 0; |
2044 | 241 * scf->certificate = { 0, NULL }; |
242 * scf->certificate_key = { 0, NULL }; | |
243 * scf->dhparam = { 0, NULL }; | |
3960 | 244 * scf->ecdh_curve = { 0, NULL }; |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
245 * scf->client_certificate = { 0, NULL }; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
246 * scf->trusted_certificate = { 0, NULL }; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
247 * scf->crl = { 0, NULL }; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3196
diff
changeset
|
248 * scf->ciphers = { 0, NULL }; |
976 | 249 * scf->shm_zone = NULL; |
539 | 250 */ |
251 | |
252 scf->enable = NGX_CONF_UNSET; | |
2759 | 253 scf->starttls = NGX_CONF_UNSET_UINT; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
254 scf->passwords = NGX_CONF_UNSET_PTR; |
976 | 255 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
256 scf->verify = NGX_CONF_UNSET_UINT; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
257 scf->verify_depth = NGX_CONF_UNSET_UINT; |
976 | 258 scf->builtin_session_cache = NGX_CONF_UNSET; |
573 | 259 scf->session_timeout = NGX_CONF_UNSET; |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
260 scf->session_tickets = NGX_CONF_UNSET; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
261 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
539 | 262 |
263 return scf; | |
264 } | |
265 | |
266 | |
267 static char * | |
1136 | 268 ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) |
539 | 269 { |
1136 | 270 ngx_mail_ssl_conf_t *prev = parent; |
271 ngx_mail_ssl_conf_t *conf = child; | |
539 | 272 |
2224 | 273 char *mode; |
563 | 274 ngx_pool_cleanup_t *cln; |
275 | |
539 | 276 ngx_conf_merge_value(conf->enable, prev->enable, 0); |
2224 | 277 ngx_conf_merge_uint_value(conf->starttls, prev->starttls, |
278 NGX_MAIL_STARTTLS_OFF); | |
539 | 279 |
573 | 280 ngx_conf_merge_value(conf->session_timeout, |
281 prev->session_timeout, 300); | |
282 | |
547 | 283 ngx_conf_merge_value(conf->prefer_server_ciphers, |
284 prev->prefer_server_ciphers, 0); | |
285 | |
286 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
6157
b2899e7d0ef8
Disabled SSLv3 by default (ticket #653).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6035
diff
changeset
|
287 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
288 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
547 | 289 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
290 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
291 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
292 |
2224 | 293 ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); |
294 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); | |
539 | 295 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
296 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
297 |
2044 | 298 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
299 | |
3960 | 300 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
301 NGX_DEFAULT_ECDH_CURVE); | |
302 | |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
303 ngx_conf_merge_str_value(conf->client_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
304 prev->client_certificate, ""); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
305 ngx_conf_merge_str_value(conf->trusted_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
306 prev->trusted_certificate, ""); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
307 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
308 |
2124 | 309 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
539 | 310 |
311 | |
547 | 312 conf->ssl.log = cf->log; |
539 | 313 |
2224 | 314 if (conf->enable) { |
315 mode = "ssl"; | |
316 | |
317 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { | |
318 mode = "starttls"; | |
319 | |
320 } else { | |
321 mode = ""; | |
322 } | |
323 | |
5401
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
324 if (conf->file == NULL) { |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
325 conf->file = prev->file; |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
326 conf->line = prev->line; |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
327 } |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
328 |
2224 | 329 if (*mode) { |
330 | |
331 if (conf->certificate.len == 0) { | |
332 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
333 "no \"ssl_certificate\" is defined for " | |
334 "the \"%s\" directive in %s:%ui", | |
335 mode, conf->file, conf->line); | |
336 return NGX_CONF_ERROR; | |
337 } | |
338 | |
339 if (conf->certificate_key.len == 0) { | |
340 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
341 "no \"ssl_certificate_key\" is defined for " | |
342 "the \"%s\" directive in %s:%ui", | |
343 mode, conf->file, conf->line); | |
344 return NGX_CONF_ERROR; | |
345 } | |
346 | |
347 } else { | |
348 | |
349 if (conf->certificate.len == 0) { | |
350 return NGX_CONF_OK; | |
351 } | |
352 | |
353 if (conf->certificate_key.len == 0) { | |
354 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
355 "no \"ssl_certificate_key\" is defined " | |
356 "for certificate \"%V\"", | |
357 &conf->certificate); | |
358 return NGX_CONF_ERROR; | |
359 } | |
360 } | |
361 | |
969 | 362 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
539 | 363 return NGX_CONF_ERROR; |
364 } | |
365 | |
563 | 366 cln = ngx_pool_cleanup_add(cf->pool, 0); |
367 if (cln == NULL) { | |
539 | 368 return NGX_CONF_ERROR; |
369 } | |
370 | |
563 | 371 cln->handler = ngx_ssl_cleanup_ctx; |
372 cln->data = &conf->ssl; | |
373 | |
374 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
375 &conf->certificate_key, conf->passwords) |
563 | 376 != NGX_OK) |
547 | 377 { |
378 return NGX_CONF_ERROR; | |
379 } | |
539 | 380 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
381 if (conf->verify) { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
382 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
383 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
384 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
385 "no ssl_client_certificate for ssl_client_verify"); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
386 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
387 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
388 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
389 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
390 &conf->client_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
391 conf->verify_depth) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
392 != NGX_OK) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
393 { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
394 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
395 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
396 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
397 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
398 &conf->trusted_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
399 conf->verify_depth) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
400 != NGX_OK) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
401 { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
402 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
403 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
404 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
405 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
406 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
407 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
408 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
409 |
5387
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
410 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
411 (const char *) conf->ciphers.data) |
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
412 == 0) |
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
413 { |
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
414 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
415 "SSL_CTX_set_cipher_list(\"%V\") failed", |
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
416 &conf->ciphers); |
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
417 return NGX_CONF_ERROR; |
539 | 418 } |
419 | |
563 | 420 if (conf->prefer_server_ciphers) { |
421 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | |
422 } | |
423 | |
6035
a84267233877
SSL: avoid SSL_CTX_set_tmp_rsa_callback() call with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5989
diff
changeset
|
424 #ifndef LIBRESSL_VERSION_NUMBER |
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3938
diff
changeset
|
425 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); |
6035
a84267233877
SSL: avoid SSL_CTX_set_tmp_rsa_callback() call with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5989
diff
changeset
|
426 #endif |
539 | 427 |
2044 | 428 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
429 return NGX_CONF_ERROR; | |
430 } | |
431 | |
5219
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
432 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
433 return NGX_CONF_ERROR; |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
434 } |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
435 |
976 | 436 ngx_conf_merge_value(conf->builtin_session_cache, |
2032 | 437 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
976 | 438 |
439 if (conf->shm_zone == NULL) { | |
440 conf->shm_zone = prev->shm_zone; | |
441 } | |
539 | 442 |
1136 | 443 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx, |
976 | 444 conf->builtin_session_cache, |
445 conf->shm_zone, conf->session_timeout) | |
446 != NGX_OK) | |
447 { | |
448 return NGX_CONF_ERROR; | |
449 } | |
573 | 450 |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
451 ngx_conf_merge_value(conf->session_tickets, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
452 prev->session_tickets, 1); |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
453 |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
454 #ifdef SSL_OP_NO_TICKET |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
455 if (!conf->session_tickets) { |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
456 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
457 } |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
458 #endif |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
459 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
460 ngx_conf_merge_ptr_value(conf->session_ticket_keys, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
461 prev->session_ticket_keys, NULL); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
462 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
463 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
464 != NGX_OK) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
465 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
466 return NGX_CONF_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
467 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
468 |
539 | 469 return NGX_CONF_OK; |
470 } | |
563 | 471 |
577 | 472 |
976 | 473 static char * |
2224 | 474 ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
475 { | |
476 ngx_mail_ssl_conf_t *scf = conf; | |
477 | |
478 char *rv; | |
479 | |
480 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
481 | |
482 if (rv != NGX_CONF_OK) { | |
483 return rv; | |
484 } | |
485 | |
486 if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
487 ngx_conf_log_error(NGX_LOG_WARN, cf, 0, | |
488 "\"starttls\" directive conflicts with \"ssl on\""); | |
489 return NGX_CONF_ERROR; | |
490 } | |
491 | |
492 scf->file = cf->conf_file->file.name.data; | |
493 scf->line = cf->conf_file->line; | |
494 | |
495 return NGX_CONF_OK; | |
496 } | |
497 | |
498 | |
499 static char * | |
500 ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
501 { | |
502 ngx_mail_ssl_conf_t *scf = conf; | |
503 | |
504 char *rv; | |
505 | |
506 rv = ngx_conf_set_enum_slot(cf, cmd, conf); | |
507 | |
508 if (rv != NGX_CONF_OK) { | |
509 return rv; | |
510 } | |
511 | |
512 if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
513 ngx_conf_log_error(NGX_LOG_WARN, cf, 0, | |
514 "\"ssl\" directive conflicts with \"starttls\""); | |
515 return NGX_CONF_ERROR; | |
516 } | |
517 | |
518 scf->file = cf->conf_file->file.name.data; | |
519 scf->line = cf->conf_file->line; | |
520 | |
521 return NGX_CONF_OK; | |
522 } | |
523 | |
524 | |
525 static char * | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
526 ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
527 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
528 ngx_mail_ssl_conf_t *scf = conf; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
529 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
530 ngx_str_t *value; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
531 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
532 if (scf->passwords != NGX_CONF_UNSET_PTR) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
533 return "is duplicate"; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
534 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
535 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
536 value = cf->args->elts; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
537 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
538 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
539 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
540 if (scf->passwords == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
541 return NGX_CONF_ERROR; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
542 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
543 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
544 return NGX_CONF_OK; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
545 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
546 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
547 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
548 static char * |
1136 | 549 ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
976 | 550 { |
1136 | 551 ngx_mail_ssl_conf_t *scf = conf; |
976 | 552 |
553 size_t len; | |
554 ngx_str_t *value, name, size; | |
555 ngx_int_t n; | |
556 ngx_uint_t i, j; | |
557 | |
558 value = cf->args->elts; | |
559 | |
560 for (i = 1; i < cf->args->nelts; i++) { | |
561 | |
1778 | 562 if (ngx_strcmp(value[i].data, "off") == 0) { |
563 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
564 continue; | |
565 } | |
566 | |
2032 | 567 if (ngx_strcmp(value[i].data, "none") == 0) { |
568 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
569 continue; | |
570 } | |
571 | |
976 | 572 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
573 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
574 continue; | |
575 } | |
576 | |
577 if (value[i].len > sizeof("builtin:") - 1 | |
578 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
579 == 0) | |
580 { | |
581 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
582 value[i].len - (sizeof("builtin:") - 1)); | |
583 | |
584 if (n == NGX_ERROR) { | |
585 goto invalid; | |
586 } | |
587 | |
588 scf->builtin_session_cache = n; | |
589 | |
590 continue; | |
591 } | |
592 | |
593 if (value[i].len > sizeof("shared:") - 1 | |
594 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
595 == 0) | |
596 { | |
597 len = 0; | |
598 | |
599 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
600 if (value[i].data[j] == ':') { | |
601 break; | |
602 } | |
603 | |
604 len++; | |
605 } | |
606 | |
607 if (len == 0) { | |
608 goto invalid; | |
609 } | |
610 | |
611 name.len = len; | |
612 name.data = value[i].data + sizeof("shared:") - 1; | |
613 | |
614 size.len = value[i].len - j - 1; | |
615 size.data = name.data + len + 1; | |
616 | |
617 n = ngx_parse_size(&size); | |
618 | |
619 if (n == NGX_ERROR) { | |
620 goto invalid; | |
621 } | |
622 | |
623 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
624 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
625 "session cache \"%V\" is too small", | |
626 &value[i]); | |
627 | |
628 return NGX_CONF_ERROR; | |
629 } | |
630 | |
631 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
1136 | 632 &ngx_mail_ssl_module); |
976 | 633 if (scf->shm_zone == NULL) { |
634 return NGX_CONF_ERROR; | |
635 } | |
636 | |
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
637 scf->shm_zone->init = ngx_ssl_session_cache_init; |
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
638 |
976 | 639 continue; |
640 } | |
641 | |
642 goto invalid; | |
643 } | |
644 | |
645 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
646 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
647 } | |
648 | |
649 return NGX_CONF_OK; | |
650 | |
651 invalid: | |
652 | |
653 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
654 "invalid session cache \"%V\"", &value[i]); | |
655 | |
656 return NGX_CONF_ERROR; | |
657 } |