Mercurial > hg > nginx-quic
comparison src/http/modules/ngx_http_ssl_module.c @ 9060:5fd628b89bb7 quic
HTTP/3: fixed OpenSSL compatibility layer initialization.
SSL context is not present if the default server has neither certificates nor
ssl_reject_handshake enabled. Previously, this led to null pointer dereference
before it would be caught with configuration checks.
Additionally, non-default servers with distinct SSL contexts need to initialize
compatibility layer in order to complete a QUIC handshake.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 24 Mar 2023 19:49:50 +0400 |
parents | c851a2ed5ce8 |
children | 0af598651e33 |
comparison
equal
deleted
inserted
replaced
9048:f4279edda9fd | 9060:5fd628b89bb7 |
---|---|
54 | 54 |
55 static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, | 55 static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, |
56 void *data); | 56 void *data); |
57 | 57 |
58 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); | 58 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); |
59 #if (NGX_QUIC_OPENSSL_COMPAT) | |
60 static ngx_int_t ngx_http_ssl_quic_compat_init(ngx_conf_t *cf, | |
61 ngx_http_conf_addr_t *addr); | |
62 #endif | |
59 | 63 |
60 | 64 |
61 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { | 65 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { |
62 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | 66 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
63 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | 67 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, |
1326 | 1330 |
1327 if (!addr[a].opt.ssl && !addr[a].opt.quic) { | 1331 if (!addr[a].opt.ssl && !addr[a].opt.quic) { |
1328 continue; | 1332 continue; |
1329 } | 1333 } |
1330 | 1334 |
1335 if (addr[a].opt.quic) { | |
1336 name = "quic"; | |
1337 | |
1338 #if (NGX_QUIC_OPENSSL_COMPAT) | |
1339 if (ngx_http_ssl_quic_compat_init(cf, &addr[a]) != NGX_OK) { | |
1340 return NGX_ERROR; | |
1341 } | |
1342 #endif | |
1343 | |
1344 } else { | |
1345 name = "ssl"; | |
1346 } | |
1347 | |
1331 cscf = addr[a].default_server; | 1348 cscf = addr[a].default_server; |
1332 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | 1349 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
1333 | |
1334 if (addr[a].opt.quic) { | |
1335 name = "quic"; | |
1336 | |
1337 #if (NGX_QUIC_OPENSSL_COMPAT) | |
1338 if (ngx_quic_compat_init(cf, sscf->ssl.ctx) != NGX_OK) { | |
1339 return NGX_ERROR; | |
1340 } | |
1341 #endif | |
1342 | |
1343 } else { | |
1344 name = "ssl"; | |
1345 } | |
1346 | 1350 |
1347 if (sscf->certificates) { | 1351 if (sscf->certificates) { |
1348 | 1352 |
1349 if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { | 1353 if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { |
1350 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 1354 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
1389 } | 1393 } |
1390 } | 1394 } |
1391 | 1395 |
1392 return NGX_OK; | 1396 return NGX_OK; |
1393 } | 1397 } |
1398 | |
1399 | |
1400 #if (NGX_QUIC_OPENSSL_COMPAT) | |
1401 | |
1402 static ngx_int_t | |
1403 ngx_http_ssl_quic_compat_init(ngx_conf_t *cf, ngx_http_conf_addr_t *addr) | |
1404 { | |
1405 ngx_uint_t s; | |
1406 ngx_http_ssl_srv_conf_t *sscf; | |
1407 ngx_http_core_srv_conf_t **cscfp, *cscf; | |
1408 | |
1409 cscfp = addr->servers.elts; | |
1410 for (s = 0; s < addr->servers.nelts; s++) { | |
1411 | |
1412 cscf = cscfp[s]; | |
1413 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | |
1414 | |
1415 if (sscf->certificates || sscf->reject_handshake) { | |
1416 if (ngx_quic_compat_init(cf, sscf->ssl.ctx) != NGX_OK) { | |
1417 return NGX_ERROR; | |
1418 } | |
1419 } | |
1420 } | |
1421 | |
1422 return NGX_OK; | |
1423 } | |
1424 | |
1425 #endif |