Mercurial > hg > nginx-quic
comparison src/http/modules/ngx_http_ssl_module.c @ 7906:7995cd199b52 quic
Merged with the default branch.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 26 May 2020 20:26:44 +0300 |
parents | c9c3a73df6e8 b56f725dd4bb |
children | 0d2b2664b41c |
comparison
equal
deleted
inserted
replaced
7887:c7d1b500bd0a | 7906:7995cd199b52 |
---|---|
47 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | 47 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, |
48 void *conf); | 48 void *conf); |
49 static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, | 49 static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
50 void *conf); | 50 void *conf); |
51 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | 51 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
52 void *conf); | |
53 static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, | |
52 void *conf); | 54 void *conf); |
53 | 55 |
54 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); | 56 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); |
55 | 57 |
56 | 58 |
72 { ngx_string("optional_no_ca"), 3 }, | 74 { ngx_string("optional_no_ca"), 3 }, |
73 { ngx_null_string, 0 } | 75 { ngx_null_string, 0 } |
74 }; | 76 }; |
75 | 77 |
76 | 78 |
79 static ngx_conf_enum_t ngx_http_ssl_ocsp[] = { | |
80 { ngx_string("off"), 0 }, | |
81 { ngx_string("on"), 1 }, | |
82 { ngx_string("leaf"), 2 }, | |
83 { ngx_null_string, 0 } | |
84 }; | |
85 | |
86 | |
77 static ngx_conf_deprecated_t ngx_http_ssl_deprecated = { | 87 static ngx_conf_deprecated_t ngx_http_ssl_deprecated = { |
78 ngx_conf_deprecated, "ssl", "listen ... ssl" | 88 ngx_conf_deprecated, "ssl", "listen ... ssl" |
79 }; | 89 }; |
80 | 90 |
81 | 91 |
210 { ngx_string("ssl_crl"), | 220 { ngx_string("ssl_crl"), |
211 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 221 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
212 ngx_conf_set_str_slot, | 222 ngx_conf_set_str_slot, |
213 NGX_HTTP_SRV_CONF_OFFSET, | 223 NGX_HTTP_SRV_CONF_OFFSET, |
214 offsetof(ngx_http_ssl_srv_conf_t, crl), | 224 offsetof(ngx_http_ssl_srv_conf_t, crl), |
225 NULL }, | |
226 | |
227 { ngx_string("ssl_ocsp"), | |
228 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
229 ngx_conf_set_enum_slot, | |
230 NGX_HTTP_SRV_CONF_OFFSET, | |
231 offsetof(ngx_http_ssl_srv_conf_t, ocsp), | |
232 &ngx_http_ssl_ocsp }, | |
233 | |
234 { ngx_string("ssl_ocsp_responder"), | |
235 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
236 ngx_conf_set_str_slot, | |
237 NGX_HTTP_SRV_CONF_OFFSET, | |
238 offsetof(ngx_http_ssl_srv_conf_t, ocsp_responder), | |
239 NULL }, | |
240 | |
241 { ngx_string("ssl_ocsp_cache"), | |
242 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
243 ngx_http_ssl_ocsp_cache, | |
244 NGX_HTTP_SRV_CONF_OFFSET, | |
245 0, | |
215 NULL }, | 246 NULL }, |
216 | 247 |
217 { ngx_string("ssl_stapling"), | 248 { ngx_string("ssl_stapling"), |
218 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 249 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
219 ngx_conf_set_flag_slot, | 250 ngx_conf_set_flag_slot, |
567 * sscf->client_certificate = { 0, NULL }; | 598 * sscf->client_certificate = { 0, NULL }; |
568 * sscf->trusted_certificate = { 0, NULL }; | 599 * sscf->trusted_certificate = { 0, NULL }; |
569 * sscf->crl = { 0, NULL }; | 600 * sscf->crl = { 0, NULL }; |
570 * sscf->ciphers = { 0, NULL }; | 601 * sscf->ciphers = { 0, NULL }; |
571 * sscf->shm_zone = NULL; | 602 * sscf->shm_zone = NULL; |
603 * sscf->ocsp_responder = { 0, NULL }; | |
572 * sscf->stapling_file = { 0, NULL }; | 604 * sscf->stapling_file = { 0, NULL }; |
573 * sscf->stapling_responder = { 0, NULL }; | 605 * sscf->stapling_responder = { 0, NULL }; |
574 */ | 606 */ |
575 | 607 |
576 sscf->enable = NGX_CONF_UNSET; | 608 sscf->enable = NGX_CONF_UNSET; |
584 sscf->passwords = NGX_CONF_UNSET_PTR; | 616 sscf->passwords = NGX_CONF_UNSET_PTR; |
585 sscf->builtin_session_cache = NGX_CONF_UNSET; | 617 sscf->builtin_session_cache = NGX_CONF_UNSET; |
586 sscf->session_timeout = NGX_CONF_UNSET; | 618 sscf->session_timeout = NGX_CONF_UNSET; |
587 sscf->session_tickets = NGX_CONF_UNSET; | 619 sscf->session_tickets = NGX_CONF_UNSET; |
588 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; | 620 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
621 sscf->ocsp = NGX_CONF_UNSET_UINT; | |
622 sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR; | |
589 sscf->stapling = NGX_CONF_UNSET; | 623 sscf->stapling = NGX_CONF_UNSET; |
590 sscf->stapling_verify = NGX_CONF_UNSET; | 624 sscf->stapling_verify = NGX_CONF_UNSET; |
591 | 625 |
592 return sscf; | 626 return sscf; |
593 } | 627 } |
646 | 680 |
647 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, | 681 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
648 NGX_DEFAULT_ECDH_CURVE); | 682 NGX_DEFAULT_ECDH_CURVE); |
649 | 683 |
650 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 684 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
685 | |
686 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0); | |
687 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, ""); | |
688 ngx_conf_merge_ptr_value(conf->ocsp_cache_zone, | |
689 prev->ocsp_cache_zone, NULL); | |
651 | 690 |
652 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); | 691 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); |
653 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); | 692 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); |
654 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); | 693 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); |
655 ngx_conf_merge_str_value(conf->stapling_responder, | 694 ngx_conf_merge_str_value(conf->stapling_responder, |
808 | 847 |
809 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { | 848 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
810 return NGX_CONF_ERROR; | 849 return NGX_CONF_ERROR; |
811 } | 850 } |
812 | 851 |
852 if (conf->ocsp) { | |
853 | |
854 if (conf->verify == 3) { | |
855 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
856 "\"ssl_ocsp\" is incompatible with " | |
857 "\"ssl_verify_client optional_no_ca\""); | |
858 return NGX_CONF_ERROR; | |
859 } | |
860 | |
861 if (ngx_ssl_ocsp(cf, &conf->ssl, &conf->ocsp_responder, conf->ocsp, | |
862 conf->ocsp_cache_zone) | |
863 != NGX_OK) | |
864 { | |
865 return NGX_CONF_ERROR; | |
866 } | |
867 } | |
868 | |
813 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { | 869 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
814 return NGX_CONF_ERROR; | 870 return NGX_CONF_ERROR; |
815 } | 871 } |
816 | 872 |
817 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { | 873 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { |
1101 | 1157 |
1102 invalid: | 1158 invalid: |
1103 | 1159 |
1104 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | 1160 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
1105 "invalid session cache \"%V\"", &value[i]); | 1161 "invalid session cache \"%V\"", &value[i]); |
1162 | |
1163 return NGX_CONF_ERROR; | |
1164 } | |
1165 | |
1166 | |
1167 static char * | |
1168 ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
1169 { | |
1170 ngx_http_ssl_srv_conf_t *sscf = conf; | |
1171 | |
1172 size_t len; | |
1173 ngx_int_t n; | |
1174 ngx_str_t *value, name, size; | |
1175 ngx_uint_t j; | |
1176 | |
1177 if (sscf->ocsp_cache_zone != NGX_CONF_UNSET_PTR) { | |
1178 return "is duplicate"; | |
1179 } | |
1180 | |
1181 value = cf->args->elts; | |
1182 | |
1183 if (ngx_strcmp(value[1].data, "off") == 0) { | |
1184 sscf->ocsp_cache_zone = NULL; | |
1185 return NGX_CONF_OK; | |
1186 } | |
1187 | |
1188 if (value[1].len <= sizeof("shared:") - 1 | |
1189 || ngx_strncmp(value[1].data, "shared:", sizeof("shared:") - 1) != 0) | |
1190 { | |
1191 goto invalid; | |
1192 } | |
1193 | |
1194 len = 0; | |
1195 | |
1196 for (j = sizeof("shared:") - 1; j < value[1].len; j++) { | |
1197 if (value[1].data[j] == ':') { | |
1198 break; | |
1199 } | |
1200 | |
1201 len++; | |
1202 } | |
1203 | |
1204 if (len == 0) { | |
1205 goto invalid; | |
1206 } | |
1207 | |
1208 name.len = len; | |
1209 name.data = value[1].data + sizeof("shared:") - 1; | |
1210 | |
1211 size.len = value[1].len - j - 1; | |
1212 size.data = name.data + len + 1; | |
1213 | |
1214 n = ngx_parse_size(&size); | |
1215 | |
1216 if (n == NGX_ERROR) { | |
1217 goto invalid; | |
1218 } | |
1219 | |
1220 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
1221 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
1222 "OCSP cache \"%V\" is too small", &value[1]); | |
1223 | |
1224 return NGX_CONF_ERROR; | |
1225 } | |
1226 | |
1227 sscf->ocsp_cache_zone = ngx_shared_memory_add(cf, &name, n, | |
1228 &ngx_http_ssl_module_ctx); | |
1229 if (sscf->ocsp_cache_zone == NULL) { | |
1230 return NGX_CONF_ERROR; | |
1231 } | |
1232 | |
1233 sscf->ocsp_cache_zone->init = ngx_ssl_ocsp_cache_init; | |
1234 | |
1235 return NGX_CONF_OK; | |
1236 | |
1237 invalid: | |
1238 | |
1239 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
1240 "invalid OCSP cache \"%V\"", &value[1]); | |
1106 | 1241 |
1107 return NGX_CONF_ERROR; | 1242 return NGX_CONF_ERROR; |
1108 } | 1243 } |
1109 | 1244 |
1110 | 1245 |
1124 | 1259 |
1125 for (s = 0; s < cmcf->servers.nelts; s++) { | 1260 for (s = 0; s < cmcf->servers.nelts; s++) { |
1126 | 1261 |
1127 sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | 1262 sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
1128 | 1263 |
1129 if (sscf->ssl.ctx == NULL || !sscf->stapling) { | 1264 if (sscf->ssl.ctx == NULL) { |
1130 continue; | 1265 continue; |
1131 } | 1266 } |
1132 | 1267 |
1133 clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index]; | 1268 clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index]; |
1134 | 1269 |
1135 if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver, | 1270 if (sscf->stapling) { |
1271 if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver, | |
1272 clcf->resolver_timeout) | |
1273 != NGX_OK) | |
1274 { | |
1275 return NGX_ERROR; | |
1276 } | |
1277 } | |
1278 | |
1279 if (sscf->ocsp) { | |
1280 if (ngx_ssl_ocsp_resolver(cf, &sscf->ssl, clcf->resolver, | |
1136 clcf->resolver_timeout) | 1281 clcf->resolver_timeout) |
1137 != NGX_OK) | 1282 != NGX_OK) |
1138 { | 1283 { |
1139 return NGX_ERROR; | 1284 return NGX_ERROR; |
1285 } | |
1140 } | 1286 } |
1141 } | 1287 } |
1142 | 1288 |
1143 if (cmcf->ports == NULL) { | 1289 if (cmcf->ports == NULL) { |
1144 return NGX_OK; | 1290 return NGX_OK; |