Mercurial > hg > nginx-quic
comparison src/http/modules/ngx_http_ssl_module.c @ 8188:71b7453fb11f quic
Merged with the default branch.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Thu, 29 Oct 2020 14:53:58 +0000 |
parents | 93be5658a250 59e1c73fe02b |
children | e0947c952d43 |
comparison
equal
deleted
inserted
replaced
8176:69dc750cf66f | 8188:71b7453fb11f |
---|---|
50 void *conf); | 50 void *conf); |
51 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | 51 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
52 void *conf); | 52 void *conf); |
53 static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, | 53 static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
54 void *conf); | 54 void *conf); |
55 | |
56 static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, | |
57 void *data); | |
55 | 58 |
56 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); | 59 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); |
57 | 60 |
58 | 61 |
59 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { | 62 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { |
87 static ngx_conf_deprecated_t ngx_http_ssl_deprecated = { | 90 static ngx_conf_deprecated_t ngx_http_ssl_deprecated = { |
88 ngx_conf_deprecated, "ssl", "listen ... ssl" | 91 ngx_conf_deprecated, "ssl", "listen ... ssl" |
89 }; | 92 }; |
90 | 93 |
91 | 94 |
95 static ngx_conf_post_t ngx_http_ssl_conf_command_post = | |
96 { ngx_http_ssl_conf_command_check }; | |
97 | |
98 | |
92 static ngx_command_t ngx_http_ssl_commands[] = { | 99 static ngx_command_t ngx_http_ssl_commands[] = { |
93 | 100 |
94 { ngx_string("ssl"), | 101 { ngx_string("ssl"), |
95 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 102 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
96 ngx_http_ssl_enable, | 103 ngx_http_ssl_enable, |
276 { ngx_string("ssl_early_data"), | 283 { ngx_string("ssl_early_data"), |
277 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 284 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
278 ngx_conf_set_flag_slot, | 285 ngx_conf_set_flag_slot, |
279 NGX_HTTP_SRV_CONF_OFFSET, | 286 NGX_HTTP_SRV_CONF_OFFSET, |
280 offsetof(ngx_http_ssl_srv_conf_t, early_data), | 287 offsetof(ngx_http_ssl_srv_conf_t, early_data), |
288 NULL }, | |
289 | |
290 { ngx_string("ssl_conf_command"), | |
291 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE2, | |
292 ngx_conf_set_keyval_slot, | |
293 NGX_HTTP_SRV_CONF_OFFSET, | |
294 offsetof(ngx_http_ssl_srv_conf_t, conf_commands), | |
295 &ngx_http_ssl_conf_command_post }, | |
296 | |
297 { ngx_string("ssl_reject_handshake"), | |
298 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
299 ngx_conf_set_flag_slot, | |
300 NGX_HTTP_SRV_CONF_OFFSET, | |
301 offsetof(ngx_http_ssl_srv_conf_t, reject_handshake), | |
281 NULL }, | 302 NULL }, |
282 | 303 |
283 ngx_null_command | 304 ngx_null_command |
284 }; | 305 }; |
285 | 306 |
612 */ | 633 */ |
613 | 634 |
614 sscf->enable = NGX_CONF_UNSET; | 635 sscf->enable = NGX_CONF_UNSET; |
615 sscf->prefer_server_ciphers = NGX_CONF_UNSET; | 636 sscf->prefer_server_ciphers = NGX_CONF_UNSET; |
616 sscf->early_data = NGX_CONF_UNSET; | 637 sscf->early_data = NGX_CONF_UNSET; |
638 sscf->reject_handshake = NGX_CONF_UNSET; | |
617 sscf->buffer_size = NGX_CONF_UNSET_SIZE; | 639 sscf->buffer_size = NGX_CONF_UNSET_SIZE; |
618 sscf->verify = NGX_CONF_UNSET_UINT; | 640 sscf->verify = NGX_CONF_UNSET_UINT; |
619 sscf->verify_depth = NGX_CONF_UNSET_UINT; | 641 sscf->verify_depth = NGX_CONF_UNSET_UINT; |
620 sscf->certificates = NGX_CONF_UNSET_PTR; | 642 sscf->certificates = NGX_CONF_UNSET_PTR; |
621 sscf->certificate_keys = NGX_CONF_UNSET_PTR; | 643 sscf->certificate_keys = NGX_CONF_UNSET_PTR; |
622 sscf->passwords = NGX_CONF_UNSET_PTR; | 644 sscf->passwords = NGX_CONF_UNSET_PTR; |
645 sscf->conf_commands = NGX_CONF_UNSET_PTR; | |
623 sscf->builtin_session_cache = NGX_CONF_UNSET; | 646 sscf->builtin_session_cache = NGX_CONF_UNSET; |
624 sscf->session_timeout = NGX_CONF_UNSET; | 647 sscf->session_timeout = NGX_CONF_UNSET; |
625 sscf->session_tickets = NGX_CONF_UNSET; | 648 sscf->session_tickets = NGX_CONF_UNSET; |
626 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; | 649 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
627 sscf->ocsp = NGX_CONF_UNSET_UINT; | 650 sscf->ocsp = NGX_CONF_UNSET_UINT; |
657 | 680 |
658 ngx_conf_merge_value(conf->prefer_server_ciphers, | 681 ngx_conf_merge_value(conf->prefer_server_ciphers, |
659 prev->prefer_server_ciphers, 0); | 682 prev->prefer_server_ciphers, 0); |
660 | 683 |
661 ngx_conf_merge_value(conf->early_data, prev->early_data, 0); | 684 ngx_conf_merge_value(conf->early_data, prev->early_data, 0); |
685 ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0); | |
662 | 686 |
663 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | 687 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, |
664 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 | 688 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
665 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); | 689 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
666 | 690 |
687 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, | 711 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
688 NGX_DEFAULT_ECDH_CURVE); | 712 NGX_DEFAULT_ECDH_CURVE); |
689 | 713 |
690 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 714 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
691 | 715 |
716 ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); | |
717 | |
692 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0); | 718 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0); |
693 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, ""); | 719 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, ""); |
694 ngx_conf_merge_ptr_value(conf->ocsp_cache_zone, | 720 ngx_conf_merge_ptr_value(conf->ocsp_cache_zone, |
695 prev->ocsp_cache_zone, NULL); | 721 prev->ocsp_cache_zone, NULL); |
696 | 722 |
702 | 728 |
703 conf->ssl.log = cf->log; | 729 conf->ssl.log = cf->log; |
704 | 730 |
705 if (conf->enable) { | 731 if (conf->enable) { |
706 | 732 |
707 if (conf->certificates == NULL) { | 733 if (conf->certificates) { |
734 if (conf->certificate_keys == NULL) { | |
735 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
736 "no \"ssl_certificate_key\" is defined for " | |
737 "the \"ssl\" directive in %s:%ui", | |
738 conf->file, conf->line); | |
739 return NGX_CONF_ERROR; | |
740 } | |
741 | |
742 if (conf->certificate_keys->nelts < conf->certificates->nelts) { | |
743 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
744 "no \"ssl_certificate_key\" is defined " | |
745 "for certificate \"%V\" and " | |
746 "the \"ssl\" directive in %s:%ui", | |
747 ((ngx_str_t *) conf->certificates->elts) | |
748 + conf->certificates->nelts - 1, | |
749 conf->file, conf->line); | |
750 return NGX_CONF_ERROR; | |
751 } | |
752 | |
753 } else if (!conf->reject_handshake) { | |
708 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 754 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
709 "no \"ssl_certificate\" is defined for " | 755 "no \"ssl_certificate\" is defined for " |
710 "the \"ssl\" directive in %s:%ui", | 756 "the \"ssl\" directive in %s:%ui", |
711 conf->file, conf->line); | 757 conf->file, conf->line); |
712 return NGX_CONF_ERROR; | 758 return NGX_CONF_ERROR; |
713 } | 759 } |
714 | 760 |
715 if (conf->certificate_keys == NULL) { | 761 } else if (conf->certificates) { |
716 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
717 "no \"ssl_certificate_key\" is defined for " | |
718 "the \"ssl\" directive in %s:%ui", | |
719 conf->file, conf->line); | |
720 return NGX_CONF_ERROR; | |
721 } | |
722 | |
723 if (conf->certificate_keys->nelts < conf->certificates->nelts) { | |
724 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
725 "no \"ssl_certificate_key\" is defined " | |
726 "for certificate \"%V\" and " | |
727 "the \"ssl\" directive in %s:%ui", | |
728 ((ngx_str_t *) conf->certificates->elts) | |
729 + conf->certificates->nelts - 1, | |
730 conf->file, conf->line); | |
731 return NGX_CONF_ERROR; | |
732 } | |
733 | |
734 } else { | |
735 | |
736 if (conf->certificates == NULL) { | |
737 return NGX_CONF_OK; | |
738 } | |
739 | 762 |
740 if (conf->certificate_keys == NULL | 763 if (conf->certificate_keys == NULL |
741 || conf->certificate_keys->nelts < conf->certificates->nelts) | 764 || conf->certificate_keys->nelts < conf->certificates->nelts) |
742 { | 765 { |
743 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 766 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
745 "for certificate \"%V\"", | 768 "for certificate \"%V\"", |
746 ((ngx_str_t *) conf->certificates->elts) | 769 ((ngx_str_t *) conf->certificates->elts) |
747 + conf->certificates->nelts - 1); | 770 + conf->certificates->nelts - 1); |
748 return NGX_CONF_ERROR; | 771 return NGX_CONF_ERROR; |
749 } | 772 } |
773 | |
774 } else if (!conf->reject_handshake) { | |
775 return NGX_CONF_OK; | |
750 } | 776 } |
751 | 777 |
752 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) { | 778 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) { |
753 return NGX_CONF_ERROR; | 779 return NGX_CONF_ERROR; |
754 } | 780 } |
803 "\"ssl_certificate\" and \"ssl_certificate_key\" " | 829 "\"ssl_certificate\" and \"ssl_certificate_key\" " |
804 "directives are not supported on this platform"); | 830 "directives are not supported on this platform"); |
805 return NGX_CONF_ERROR; | 831 return NGX_CONF_ERROR; |
806 #endif | 832 #endif |
807 | 833 |
808 } else { | 834 } else if (conf->certificates) { |
809 | 835 |
810 /* configure certificates */ | 836 /* configure certificates */ |
811 | 837 |
812 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, | 838 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, |
813 conf->certificate_keys, conf->passwords) | 839 conf->certificate_keys, conf->passwords) |
922 } | 948 } |
923 | 949 |
924 } | 950 } |
925 | 951 |
926 if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) { | 952 if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) { |
953 return NGX_CONF_ERROR; | |
954 } | |
955 | |
956 if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) { | |
927 return NGX_CONF_ERROR; | 957 return NGX_CONF_ERROR; |
928 } | 958 } |
929 | 959 |
930 return NGX_CONF_OK; | 960 return NGX_CONF_OK; |
931 } | 961 } |
938 ngx_str_t *cert, *key; | 968 ngx_str_t *cert, *key; |
939 ngx_uint_t i, nelts; | 969 ngx_uint_t i, nelts; |
940 ngx_http_complex_value_t *cv; | 970 ngx_http_complex_value_t *cv; |
941 ngx_http_compile_complex_value_t ccv; | 971 ngx_http_compile_complex_value_t ccv; |
942 | 972 |
973 if (conf->certificates == NULL) { | |
974 return NGX_OK; | |
975 } | |
976 | |
943 cert = conf->certificates->elts; | 977 cert = conf->certificates->elts; |
944 key = conf->certificate_keys->elts; | 978 key = conf->certificate_keys->elts; |
945 nelts = conf->certificates->nelts; | 979 nelts = conf->certificates->nelts; |
946 | 980 |
947 for (i = 0; i < nelts; i++) { | 981 for (i = 0; i < nelts; i++) { |
1244 | 1278 |
1245 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | 1279 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
1246 "invalid OCSP cache \"%V\"", &value[1]); | 1280 "invalid OCSP cache \"%V\"", &value[1]); |
1247 | 1281 |
1248 return NGX_CONF_ERROR; | 1282 return NGX_CONF_ERROR; |
1283 } | |
1284 | |
1285 | |
1286 static char * | |
1287 ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) | |
1288 { | |
1289 #ifndef SSL_CONF_FLAG_FILE | |
1290 return "is not supported on this platform"; | |
1291 #endif | |
1292 | |
1293 return NGX_CONF_OK; | |
1249 } | 1294 } |
1250 | 1295 |
1251 | 1296 |
1252 static ngx_int_t | 1297 static ngx_int_t |
1253 ngx_http_ssl_init(ngx_conf_t *cf) | 1298 ngx_http_ssl_init(ngx_conf_t *cf) |
1318 } | 1363 } |
1319 | 1364 |
1320 cscf = addr[a].default_server; | 1365 cscf = addr[a].default_server; |
1321 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | 1366 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
1322 | 1367 |
1323 if (sscf->certificates == NULL) { | 1368 if (sscf->certificates) { |
1369 continue; | |
1370 } | |
1371 | |
1372 if (!sscf->reject_handshake) { | |
1373 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
1374 "no \"ssl_certificate\" is defined for " | |
1375 "the \"listen ... ssl\" directive in %s:%ui", | |
1376 cscf->file_name, cscf->line); | |
1377 return NGX_ERROR; | |
1378 } | |
1379 | |
1380 /* | |
1381 * if no certificates are defined in the default server, | |
1382 * check all non-default server blocks | |
1383 */ | |
1384 | |
1385 cscfp = addr[a].servers.elts; | |
1386 for (s = 0; s < addr[a].servers.nelts; s++) { | |
1387 | |
1388 cscf = cscfp[s]; | |
1389 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | |
1390 | |
1391 if (sscf->certificates || sscf->reject_handshake) { | |
1392 continue; | |
1393 } | |
1394 | |
1324 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 1395 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
1325 "no \"ssl_certificate\" is defined for " | 1396 "no \"ssl_certificate\" is defined for " |
1326 "the \"listen ... %s\" directive in %s:%ui", | 1397 "the \"listen ... %s\" directive in %s:%ui", |
1327 name, cscf->file_name, cscf->line); | 1398 name, cscf->file_name, cscf->line); |
1328 return NGX_ERROR; | 1399 return NGX_ERROR; |