Mercurial > hg > nginx-quic
comparison src/http/modules/ngx_http_ssl_module.c @ 9060:5fd628b89bb7 quic
HTTP/3: fixed OpenSSL compatibility layer initialization.
SSL context is not present if the default server has neither certificates nor
ssl_reject_handshake enabled. Previously, this led to null pointer dereference
before it would be caught with configuration checks.
Additionally, non-default servers with distinct SSL contexts need to initialize
compatibility layer in order to complete a QUIC handshake.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Fri, 24 Mar 2023 19:49:50 +0400 |
| parents | c851a2ed5ce8 |
| children | 0af598651e33 |
comparison
equal
deleted
inserted
replaced
| 9048:f4279edda9fd | 9060:5fd628b89bb7 |
|---|---|
| 54 | 54 |
| 55 static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, | 55 static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, |
| 56 void *data); | 56 void *data); |
| 57 | 57 |
| 58 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); | 58 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); |
| 59 #if (NGX_QUIC_OPENSSL_COMPAT) | |
| 60 static ngx_int_t ngx_http_ssl_quic_compat_init(ngx_conf_t *cf, | |
| 61 ngx_http_conf_addr_t *addr); | |
| 62 #endif | |
| 59 | 63 |
| 60 | 64 |
| 61 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { | 65 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { |
| 62 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | 66 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
| 63 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | 67 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, |
| 1326 | 1330 |
| 1327 if (!addr[a].opt.ssl && !addr[a].opt.quic) { | 1331 if (!addr[a].opt.ssl && !addr[a].opt.quic) { |
| 1328 continue; | 1332 continue; |
| 1329 } | 1333 } |
| 1330 | 1334 |
| 1335 if (addr[a].opt.quic) { | |
| 1336 name = "quic"; | |
| 1337 | |
| 1338 #if (NGX_QUIC_OPENSSL_COMPAT) | |
| 1339 if (ngx_http_ssl_quic_compat_init(cf, &addr[a]) != NGX_OK) { | |
| 1340 return NGX_ERROR; | |
| 1341 } | |
| 1342 #endif | |
| 1343 | |
| 1344 } else { | |
| 1345 name = "ssl"; | |
| 1346 } | |
| 1347 | |
| 1331 cscf = addr[a].default_server; | 1348 cscf = addr[a].default_server; |
| 1332 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | 1349 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
| 1333 | |
| 1334 if (addr[a].opt.quic) { | |
| 1335 name = "quic"; | |
| 1336 | |
| 1337 #if (NGX_QUIC_OPENSSL_COMPAT) | |
| 1338 if (ngx_quic_compat_init(cf, sscf->ssl.ctx) != NGX_OK) { | |
| 1339 return NGX_ERROR; | |
| 1340 } | |
| 1341 #endif | |
| 1342 | |
| 1343 } else { | |
| 1344 name = "ssl"; | |
| 1345 } | |
| 1346 | 1350 |
| 1347 if (sscf->certificates) { | 1351 if (sscf->certificates) { |
| 1348 | 1352 |
| 1349 if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { | 1353 if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { |
| 1350 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 1354 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 1389 } | 1393 } |
| 1390 } | 1394 } |
| 1391 | 1395 |
| 1392 return NGX_OK; | 1396 return NGX_OK; |
| 1393 } | 1397 } |
| 1398 | |
| 1399 | |
| 1400 #if (NGX_QUIC_OPENSSL_COMPAT) | |
| 1401 | |
| 1402 static ngx_int_t | |
| 1403 ngx_http_ssl_quic_compat_init(ngx_conf_t *cf, ngx_http_conf_addr_t *addr) | |
| 1404 { | |
| 1405 ngx_uint_t s; | |
| 1406 ngx_http_ssl_srv_conf_t *sscf; | |
| 1407 ngx_http_core_srv_conf_t **cscfp, *cscf; | |
| 1408 | |
| 1409 cscfp = addr->servers.elts; | |
| 1410 for (s = 0; s < addr->servers.nelts; s++) { | |
| 1411 | |
| 1412 cscf = cscfp[s]; | |
| 1413 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | |
| 1414 | |
| 1415 if (sscf->certificates || sscf->reject_handshake) { | |
| 1416 if (ngx_quic_compat_init(cf, sscf->ssl.ctx) != NGX_OK) { | |
| 1417 return NGX_ERROR; | |
| 1418 } | |
| 1419 } | |
| 1420 } | |
| 1421 | |
| 1422 return NGX_OK; | |
| 1423 } | |
| 1424 | |
| 1425 #endif |