Mercurial > hg > nginx-quic
annotate src/mail/ngx_mail_ssl_module.c @ 7119:fef61d26da39
Fixed buffer overread with unix sockets after accept().
Some OSes (notably macOS, NetBSD, and Solaris) allow unix socket addresses
larger than struct sockaddr_un. Moreover, some of them (macOS, Solaris)
return socklen of the socket address before it was truncated to fit the
buffer provided. As such, on these systems socklen must not be used without
additional check that it is within the buffer provided.
Appropriate checks added to ngx_event_accept() (after accept()),
ngx_event_recvmsg() (after recvmsg()), and ngx_set_inherited_sockets()
(after getsockname()).
We also obtain socket addresses via getsockname() in
ngx_connection_local_sockaddr(), but it does not need any checks as
it is only used for INET and INET6 sockets (as there can be no
wildcard unix sockets).
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 04 Oct 2017 21:19:33 +0300 |
parents | 08dc60979133 |
children | 0d8c72ff62dd |
rev | line source |
---|---|
539 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
539 | 5 */ |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
1136 | 10 #include <ngx_mail.h> |
539 | 11 |
12 | |
3960 | 13 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6550
diff
changeset
|
14 #define NGX_DEFAULT_ECDH_CURVE "auto" |
539 | 15 |
16 | |
1136 | 17 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf); |
18 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child); | |
2224 | 19 |
20 static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | |
21 void *conf); | |
22 static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, | |
23 void *conf); | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
24 static char *ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
25 void *conf); |
1136 | 26 static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
976 | 27 void *conf); |
539 | 28 |
29 | |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
30 static ngx_conf_enum_t ngx_mail_starttls_state[] = { |
1136 | 31 { ngx_string("off"), NGX_MAIL_STARTTLS_OFF }, |
32 { ngx_string("on"), NGX_MAIL_STARTTLS_ON }, | |
33 { ngx_string("only"), NGX_MAIL_STARTTLS_ONLY }, | |
583 | 34 { ngx_null_string, 0 } |
35 }; | |
36 | |
37 | |
38 | |
1136 | 39 static ngx_conf_bitmask_t ngx_mail_ssl_protocols[] = { |
547 | 40 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
41 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | |
42 { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, | |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
43 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
44 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6699
diff
changeset
|
45 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, |
547 | 46 { ngx_null_string, 0 } |
47 }; | |
48 | |
49 | |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
50 static ngx_conf_enum_t ngx_mail_ssl_verify[] = { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
51 { ngx_string("off"), 0 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
52 { ngx_string("on"), 1 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
53 { ngx_string("optional"), 2 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
54 { ngx_string("optional_no_ca"), 3 }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
55 { ngx_null_string, 0 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
56 }; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
57 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
58 |
1136 | 59 static ngx_command_t ngx_mail_ssl_commands[] = { |
539 | 60 |
61 { ngx_string("ssl"), | |
1136 | 62 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
2224 | 63 ngx_mail_ssl_enable, |
1136 | 64 NGX_MAIL_SRV_CONF_OFFSET, |
65 offsetof(ngx_mail_ssl_conf_t, enable), | |
539 | 66 NULL }, |
67 | |
583 | 68 { ngx_string("starttls"), |
1136 | 69 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
2224 | 70 ngx_mail_ssl_starttls, |
1136 | 71 NGX_MAIL_SRV_CONF_OFFSET, |
72 offsetof(ngx_mail_ssl_conf_t, starttls), | |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5219
diff
changeset
|
73 ngx_mail_starttls_state }, |
583 | 74 |
539 | 75 { ngx_string("ssl_certificate"), |
1136 | 76 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
77 ngx_conf_set_str_array_slot, |
1136 | 78 NGX_MAIL_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
79 offsetof(ngx_mail_ssl_conf_t, certificates), |
539 | 80 NULL }, |
81 | |
82 { ngx_string("ssl_certificate_key"), | |
1136 | 83 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
84 ngx_conf_set_str_array_slot, |
1136 | 85 NGX_MAIL_SRV_CONF_OFFSET, |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
86 offsetof(ngx_mail_ssl_conf_t, certificate_keys), |
539 | 87 NULL }, |
88 | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
89 { ngx_string("ssl_password_file"), |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
90 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
91 ngx_mail_ssl_password_file, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
92 NGX_MAIL_SRV_CONF_OFFSET, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
93 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
94 NULL }, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
95 |
2044 | 96 { ngx_string("ssl_dhparam"), |
97 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
98 ngx_conf_set_str_slot, | |
99 NGX_MAIL_SRV_CONF_OFFSET, | |
100 offsetof(ngx_mail_ssl_conf_t, dhparam), | |
101 NULL }, | |
102 | |
3960 | 103 { ngx_string("ssl_ecdh_curve"), |
104 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | |
105 ngx_conf_set_str_slot, | |
106 NGX_MAIL_SRV_CONF_OFFSET, | |
107 offsetof(ngx_mail_ssl_conf_t, ecdh_curve), | |
108 NULL }, | |
109 | |
547 | 110 { ngx_string("ssl_protocols"), |
1136 | 111 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE, |
547 | 112 ngx_conf_set_bitmask_slot, |
1136 | 113 NGX_MAIL_SRV_CONF_OFFSET, |
114 offsetof(ngx_mail_ssl_conf_t, protocols), | |
115 &ngx_mail_ssl_protocols }, | |
547 | 116 |
539 | 117 { ngx_string("ssl_ciphers"), |
1136 | 118 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
539 | 119 ngx_conf_set_str_slot, |
1136 | 120 NGX_MAIL_SRV_CONF_OFFSET, |
121 offsetof(ngx_mail_ssl_conf_t, ciphers), | |
539 | 122 NULL }, |
123 | |
547 | 124 { ngx_string("ssl_prefer_server_ciphers"), |
1136 | 125 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
547 | 126 ngx_conf_set_flag_slot, |
1136 | 127 NGX_MAIL_SRV_CONF_OFFSET, |
128 offsetof(ngx_mail_ssl_conf_t, prefer_server_ciphers), | |
547 | 129 NULL }, |
563 | 130 |
976 | 131 { ngx_string("ssl_session_cache"), |
1136 | 132 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12, |
133 ngx_mail_ssl_session_cache, | |
134 NGX_MAIL_SRV_CONF_OFFSET, | |
976 | 135 0, |
136 NULL }, | |
137 | |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
138 { ngx_string("ssl_session_tickets"), |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
139 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
140 ngx_conf_set_flag_slot, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
141 NGX_MAIL_SRV_CONF_OFFSET, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
142 offsetof(ngx_mail_ssl_conf_t, session_tickets), |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
143 NULL }, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
144 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
145 { ngx_string("ssl_session_ticket_key"), |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
146 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
147 ngx_conf_set_str_array_slot, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
148 NGX_MAIL_SRV_CONF_OFFSET, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
149 offsetof(ngx_mail_ssl_conf_t, session_ticket_keys), |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
150 NULL }, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
151 |
573 | 152 { ngx_string("ssl_session_timeout"), |
1136 | 153 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
573 | 154 ngx_conf_set_sec_slot, |
1136 | 155 NGX_MAIL_SRV_CONF_OFFSET, |
156 offsetof(ngx_mail_ssl_conf_t, session_timeout), | |
573 | 157 NULL }, |
547 | 158 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
159 { ngx_string("ssl_verify_client"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
160 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
161 ngx_conf_set_enum_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
162 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
163 offsetof(ngx_mail_ssl_conf_t, verify), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
164 &ngx_mail_ssl_verify }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
165 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
166 { ngx_string("ssl_verify_depth"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
167 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
168 ngx_conf_set_num_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
169 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
170 offsetof(ngx_mail_ssl_conf_t, verify_depth), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
171 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
172 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
173 { ngx_string("ssl_client_certificate"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
174 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
175 ngx_conf_set_str_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
176 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
177 offsetof(ngx_mail_ssl_conf_t, client_certificate), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
178 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
179 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
180 { ngx_string("ssl_trusted_certificate"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
181 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
182 ngx_conf_set_str_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
183 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
184 offsetof(ngx_mail_ssl_conf_t, trusted_certificate), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
185 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
186 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
187 { ngx_string("ssl_crl"), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
188 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
189 ngx_conf_set_str_slot, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
190 NGX_MAIL_SRV_CONF_OFFSET, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
191 offsetof(ngx_mail_ssl_conf_t, crl), |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
192 NULL }, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
193 |
539 | 194 ngx_null_command |
195 }; | |
196 | |
197 | |
1136 | 198 static ngx_mail_module_t ngx_mail_ssl_module_ctx = { |
1487
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
199 NULL, /* protocol */ |
f69493e8faab
ngx_mail_pop3_module, ngx_mail_imap_module, and ngx_mail_smtp_module
Igor Sysoev <igor@sysoev.ru>
parents:
1136
diff
changeset
|
200 |
539 | 201 NULL, /* create main configuration */ |
202 NULL, /* init main configuration */ | |
203 | |
1136 | 204 ngx_mail_ssl_create_conf, /* create server configuration */ |
205 ngx_mail_ssl_merge_conf /* merge server configuration */ | |
539 | 206 }; |
207 | |
208 | |
1136 | 209 ngx_module_t ngx_mail_ssl_module = { |
539 | 210 NGX_MODULE_V1, |
1136 | 211 &ngx_mail_ssl_module_ctx, /* module context */ |
212 ngx_mail_ssl_commands, /* module directives */ | |
213 NGX_MAIL_MODULE, /* module type */ | |
541 | 214 NULL, /* init master */ |
539 | 215 NULL, /* init module */ |
541 | 216 NULL, /* init process */ |
217 NULL, /* init thread */ | |
218 NULL, /* exit thread */ | |
219 NULL, /* exit process */ | |
220 NULL, /* exit master */ | |
221 NGX_MODULE_V1_PADDING | |
539 | 222 }; |
223 | |
224 | |
1136 | 225 static ngx_str_t ngx_mail_ssl_sess_id_ctx = ngx_string("MAIL"); |
543 | 226 |
227 | |
539 | 228 static void * |
1136 | 229 ngx_mail_ssl_create_conf(ngx_conf_t *cf) |
577 | 230 { |
1136 | 231 ngx_mail_ssl_conf_t *scf; |
577 | 232 |
1136 | 233 scf = ngx_pcalloc(cf->pool, sizeof(ngx_mail_ssl_conf_t)); |
539 | 234 if (scf == NULL) { |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2759
diff
changeset
|
235 return NULL; |
539 | 236 } |
237 | |
238 /* | |
577 | 239 * set by ngx_pcalloc(): |
539 | 240 * |
547 | 241 * scf->protocols = 0; |
2044 | 242 * scf->dhparam = { 0, NULL }; |
3960 | 243 * scf->ecdh_curve = { 0, NULL }; |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
244 * scf->client_certificate = { 0, NULL }; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
245 * scf->trusted_certificate = { 0, NULL }; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
246 * scf->crl = { 0, NULL }; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3196
diff
changeset
|
247 * scf->ciphers = { 0, NULL }; |
976 | 248 * scf->shm_zone = NULL; |
539 | 249 */ |
250 | |
251 scf->enable = NGX_CONF_UNSET; | |
2759 | 252 scf->starttls = NGX_CONF_UNSET_UINT; |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
253 scf->certificates = NGX_CONF_UNSET_PTR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
254 scf->certificate_keys = NGX_CONF_UNSET_PTR; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
255 scf->passwords = NGX_CONF_UNSET_PTR; |
976 | 256 scf->prefer_server_ciphers = NGX_CONF_UNSET; |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
257 scf->verify = NGX_CONF_UNSET_UINT; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
258 scf->verify_depth = NGX_CONF_UNSET_UINT; |
976 | 259 scf->builtin_session_cache = NGX_CONF_UNSET; |
573 | 260 scf->session_timeout = NGX_CONF_UNSET; |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
261 scf->session_tickets = NGX_CONF_UNSET; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
262 scf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
539 | 263 |
264 return scf; | |
265 } | |
266 | |
267 | |
268 static char * | |
1136 | 269 ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) |
539 | 270 { |
1136 | 271 ngx_mail_ssl_conf_t *prev = parent; |
272 ngx_mail_ssl_conf_t *conf = child; | |
539 | 273 |
2224 | 274 char *mode; |
563 | 275 ngx_pool_cleanup_t *cln; |
276 | |
539 | 277 ngx_conf_merge_value(conf->enable, prev->enable, 0); |
2224 | 278 ngx_conf_merge_uint_value(conf->starttls, prev->starttls, |
279 NGX_MAIL_STARTTLS_OFF); | |
539 | 280 |
573 | 281 ngx_conf_merge_value(conf->session_timeout, |
282 prev->session_timeout, 300); | |
283 | |
547 | 284 ngx_conf_merge_value(conf->prefer_server_ciphers, |
285 prev->prefer_server_ciphers, 0); | |
286 | |
287 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | |
6157
b2899e7d0ef8
Disabled SSLv3 by default (ticket #653).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6035
diff
changeset
|
288 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4153
diff
changeset
|
289 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
547 | 290 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
291 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
292 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
293 |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
294 ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
295 ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
296 NULL); |
539 | 297 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
298 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
299 |
2044 | 300 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
301 | |
3960 | 302 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
303 NGX_DEFAULT_ECDH_CURVE); | |
304 | |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
305 ngx_conf_merge_str_value(conf->client_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
306 prev->client_certificate, ""); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
307 ngx_conf_merge_str_value(conf->trusted_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
308 prev->trusted_certificate, ""); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
309 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
310 |
2124 | 311 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
539 | 312 |
313 | |
547 | 314 conf->ssl.log = cf->log; |
539 | 315 |
2224 | 316 if (conf->enable) { |
6474 | 317 mode = "ssl"; |
2224 | 318 |
319 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) { | |
6474 | 320 mode = "starttls"; |
2224 | 321 |
322 } else { | |
6474 | 323 mode = ""; |
2224 | 324 } |
325 | |
5401
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
326 if (conf->file == NULL) { |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
327 conf->file = prev->file; |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
328 conf->line = prev->line; |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
329 } |
09fc4598fc8e
Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5387
diff
changeset
|
330 |
2224 | 331 if (*mode) { |
332 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
333 if (conf->certificates == NULL) { |
2224 | 334 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
335 "no \"ssl_certificate\" is defined for " | |
336 "the \"%s\" directive in %s:%ui", | |
337 mode, conf->file, conf->line); | |
338 return NGX_CONF_ERROR; | |
339 } | |
340 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
341 if (conf->certificate_keys == NULL) { |
2224 | 342 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
343 "no \"ssl_certificate_key\" is defined for " | |
344 "the \"%s\" directive in %s:%ui", | |
345 mode, conf->file, conf->line); | |
346 return NGX_CONF_ERROR; | |
347 } | |
348 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
349 if (conf->certificate_keys->nelts < conf->certificates->nelts) { |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
350 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
351 "no \"ssl_certificate_key\" is defined " |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
352 "for certificate \"%V\" and " |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
353 "the \"ssl\" directive in %s:%ui", |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
354 ((ngx_str_t *) conf->certificates->elts) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
355 + conf->certificates->nelts - 1, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
356 conf->file, conf->line); |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
357 return NGX_CONF_ERROR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
358 } |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
359 |
2224 | 360 } else { |
361 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
362 if (conf->certificates == NULL) { |
2224 | 363 return NGX_CONF_OK; |
364 } | |
365 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
366 if (conf->certificate_keys == NULL |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
367 || conf->certificate_keys->nelts < conf->certificates->nelts) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
368 { |
2224 | 369 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
370 "no \"ssl_certificate_key\" is defined " | |
371 "for certificate \"%V\"", | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
372 ((ngx_str_t *) conf->certificates->elts) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
373 + conf->certificates->nelts - 1); |
2224 | 374 return NGX_CONF_ERROR; |
375 } | |
376 } | |
377 | |
969 | 378 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) { |
539 | 379 return NGX_CONF_ERROR; |
380 } | |
381 | |
563 | 382 cln = ngx_pool_cleanup_add(cf->pool, 0); |
383 if (cln == NULL) { | |
539 | 384 return NGX_CONF_ERROR; |
385 } | |
386 | |
563 | 387 cln->handler = ngx_ssl_cleanup_ctx; |
388 cln->data = &conf->ssl; | |
389 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
390 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6489
diff
changeset
|
391 conf->certificate_keys, conf->passwords) |
563 | 392 != NGX_OK) |
547 | 393 { |
394 return NGX_CONF_ERROR; | |
395 } | |
539 | 396 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
397 if (conf->verify) { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
398 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
399 if (conf->client_certificate.len == 0 && conf->verify != 3) { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
400 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
401 "no ssl_client_certificate for ssl_client_verify"); |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
402 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
403 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
404 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
405 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
406 &conf->client_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
407 conf->verify_depth) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
408 != NGX_OK) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
409 { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
410 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
411 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
412 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
413 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
414 &conf->trusted_certificate, |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
415 conf->verify_depth) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
416 != NGX_OK) |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
417 { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
418 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
419 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
420 |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
421 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
422 return NGX_CONF_ERROR; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
423 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
424 } |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
425 |
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
426 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
427 conf->prefer_server_ciphers) |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6553
diff
changeset
|
428 != NGX_OK) |
5387
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
429 { |
0fbcfab0bfd7
SSL: stop loading configs with invalid "ssl_ciphers" values.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
430 return NGX_CONF_ERROR; |
539 | 431 } |
432 | |
2044 | 433 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
434 return NGX_CONF_ERROR; | |
435 } | |
436 | |
5219
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
437 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
438 return NGX_CONF_ERROR; |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
439 } |
32fe021911c9
Mail: missing ngx_ssl_ecdh_curve() call.
F. da Silva <fdasilvayy@gmail.com>
parents:
4412
diff
changeset
|
440 |
976 | 441 ngx_conf_merge_value(conf->builtin_session_cache, |
2032 | 442 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); |
976 | 443 |
444 if (conf->shm_zone == NULL) { | |
445 conf->shm_zone = prev->shm_zone; | |
446 } | |
539 | 447 |
1136 | 448 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx, |
976 | 449 conf->builtin_session_cache, |
450 conf->shm_zone, conf->session_timeout) | |
451 != NGX_OK) | |
452 { | |
453 return NGX_CONF_ERROR; | |
454 } | |
573 | 455 |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
456 ngx_conf_merge_value(conf->session_tickets, |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
457 prev->session_tickets, 1); |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
458 |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
459 #ifdef SSL_OP_NO_TICKET |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
460 if (!conf->session_tickets) { |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
461 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
462 } |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
463 #endif |
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
464 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
465 ngx_conf_merge_ptr_value(conf->session_ticket_keys, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
466 prev->session_ticket_keys, NULL); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
467 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
468 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
469 != NGX_OK) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
470 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
471 return NGX_CONF_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
472 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5401
diff
changeset
|
473 |
539 | 474 return NGX_CONF_OK; |
475 } | |
563 | 476 |
577 | 477 |
976 | 478 static char * |
2224 | 479 ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
480 { | |
481 ngx_mail_ssl_conf_t *scf = conf; | |
482 | |
483 char *rv; | |
484 | |
485 rv = ngx_conf_set_flag_slot(cf, cmd, conf); | |
486 | |
487 if (rv != NGX_CONF_OK) { | |
488 return rv; | |
489 } | |
490 | |
491 if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6591
diff
changeset
|
492 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
2224 | 493 "\"starttls\" directive conflicts with \"ssl on\""); |
494 return NGX_CONF_ERROR; | |
495 } | |
496 | |
497 scf->file = cf->conf_file->file.name.data; | |
498 scf->line = cf->conf_file->line; | |
499 | |
500 return NGX_CONF_OK; | |
501 } | |
502 | |
503 | |
504 static char * | |
505 ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
506 { | |
507 ngx_mail_ssl_conf_t *scf = conf; | |
508 | |
509 char *rv; | |
510 | |
511 rv = ngx_conf_set_enum_slot(cf, cmd, conf); | |
512 | |
513 if (rv != NGX_CONF_OK) { | |
514 return rv; | |
515 } | |
516 | |
517 if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) { | |
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6591
diff
changeset
|
518 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
2224 | 519 "\"ssl\" directive conflicts with \"starttls\""); |
520 return NGX_CONF_ERROR; | |
521 } | |
522 | |
523 scf->file = cf->conf_file->file.name.data; | |
524 scf->line = cf->conf_file->line; | |
525 | |
526 return NGX_CONF_OK; | |
527 } | |
528 | |
529 | |
530 static char * | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
531 ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
532 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
533 ngx_mail_ssl_conf_t *scf = conf; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
534 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
535 ngx_str_t *value; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
536 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
537 if (scf->passwords != NGX_CONF_UNSET_PTR) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
538 return "is duplicate"; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
539 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
540 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
541 value = cf->args->elts; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
542 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
543 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
544 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
545 if (scf->passwords == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
546 return NGX_CONF_ERROR; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
547 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
548 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
549 return NGX_CONF_OK; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
550 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
551 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
552 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
553 static char * |
1136 | 554 ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
976 | 555 { |
1136 | 556 ngx_mail_ssl_conf_t *scf = conf; |
976 | 557 |
558 size_t len; | |
559 ngx_str_t *value, name, size; | |
560 ngx_int_t n; | |
561 ngx_uint_t i, j; | |
562 | |
563 value = cf->args->elts; | |
564 | |
565 for (i = 1; i < cf->args->nelts; i++) { | |
566 | |
1778 | 567 if (ngx_strcmp(value[i].data, "off") == 0) { |
568 scf->builtin_session_cache = NGX_SSL_NO_SCACHE; | |
569 continue; | |
570 } | |
571 | |
2032 | 572 if (ngx_strcmp(value[i].data, "none") == 0) { |
573 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE; | |
574 continue; | |
575 } | |
576 | |
976 | 577 if (ngx_strcmp(value[i].data, "builtin") == 0) { |
578 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
579 continue; | |
580 } | |
581 | |
582 if (value[i].len > sizeof("builtin:") - 1 | |
583 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
584 == 0) | |
585 { | |
586 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
587 value[i].len - (sizeof("builtin:") - 1)); | |
588 | |
589 if (n == NGX_ERROR) { | |
590 goto invalid; | |
591 } | |
592 | |
593 scf->builtin_session_cache = n; | |
594 | |
595 continue; | |
596 } | |
597 | |
598 if (value[i].len > sizeof("shared:") - 1 | |
599 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
600 == 0) | |
601 { | |
602 len = 0; | |
603 | |
604 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
605 if (value[i].data[j] == ':') { | |
606 break; | |
607 } | |
608 | |
609 len++; | |
610 } | |
611 | |
612 if (len == 0) { | |
613 goto invalid; | |
614 } | |
615 | |
616 name.len = len; | |
617 name.data = value[i].data + sizeof("shared:") - 1; | |
618 | |
619 size.len = value[i].len - j - 1; | |
620 size.data = name.data + len + 1; | |
621 | |
622 n = ngx_parse_size(&size); | |
623 | |
624 if (n == NGX_ERROR) { | |
625 goto invalid; | |
626 } | |
627 | |
628 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
629 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
630 "session cache \"%V\" is too small", | |
631 &value[i]); | |
632 | |
633 return NGX_CONF_ERROR; | |
634 } | |
635 | |
636 scf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
1136 | 637 &ngx_mail_ssl_module); |
976 | 638 if (scf->shm_zone == NULL) { |
639 return NGX_CONF_ERROR; | |
640 } | |
641 | |
4153
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
642 scf->shm_zone->init = ngx_ssl_session_cache_init; |
7de74ed694c8
Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993).
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
643 |
976 | 644 continue; |
645 } | |
646 | |
647 goto invalid; | |
648 } | |
649 | |
650 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) { | |
651 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
652 } | |
653 | |
654 return NGX_CONF_OK; | |
655 | |
656 invalid: | |
657 | |
658 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
659 "invalid session cache \"%V\"", &value[i]); | |
660 | |
661 return NGX_CONF_ERROR; | |
662 } |