Mercurial > hg > nginx-quic
comparison src/http/modules/ngx_http_ssl_module.c @ 671:cec32b3753ac release-0.3.57
nginx-0.3.57-RELEASE import
*) Feature: the $ssl_client_serial variable.
*) Bugfix: in the "!-e" operator of the "if" directive.
Thanks to Andrian Budanstov.
*) Bugfix: while a client certificate verification nginx did not send
to a client the required certificates information.
*) Bugfix: the $document_root variable did not support the variables in
the "root" directive.
author | Igor Sysoev <igor@sysoev.ru> |
---|---|
date | Wed, 09 Aug 2006 19:59:45 +0000 |
parents | 562806624c4a |
children | 065b39794fff |
comparison
equal
deleted
inserted
replaced
670:ba43c68592d0 | 671:cec32b3753ac |
---|---|
7 #include <ngx_config.h> | 7 #include <ngx_config.h> |
8 #include <ngx_core.h> | 8 #include <ngx_core.h> |
9 #include <ngx_http.h> | 9 #include <ngx_http.h> |
10 | 10 |
11 | 11 |
12 typedef u_char *(*ngx_ssl_variable_handler_pt)(ngx_connection_t *); | 12 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, |
13 ngx_pool_t *pool, ngx_str_t *s); | |
13 | 14 |
14 | 15 |
15 #define NGX_DEFLAUT_CERTIFICATE "cert.pem" | 16 #define NGX_DEFLAUT_CERTIFICATE "cert.pem" |
16 #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" | 17 #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" |
17 #define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" | 18 #define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" |
18 | 19 |
19 | 20 |
20 static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); | 21 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, |
22 ngx_http_variable_value_t *v, uintptr_t data); | |
21 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, | 23 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, |
22 ngx_http_variable_value_t *v, uintptr_t data); | |
23 static ngx_int_t ngx_http_ssl_client_s_dn(ngx_http_request_t *r, | |
24 ngx_http_variable_value_t *v, uintptr_t data); | |
25 static ngx_int_t ngx_http_ssl_client_i_dn(ngx_http_request_t *r, | |
26 ngx_http_variable_value_t *v, uintptr_t data); | 24 ngx_http_variable_value_t *v, uintptr_t data); |
27 | 25 |
28 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); | 26 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); |
29 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); | 27 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); |
30 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, | 28 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, |
159 }; | 157 }; |
160 | 158 |
161 | 159 |
162 static ngx_http_variable_t ngx_http_ssl_vars[] = { | 160 static ngx_http_variable_t ngx_http_ssl_vars[] = { |
163 | 161 |
164 { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_variable, | 162 { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable, |
165 (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGABLE, 0 }, | 163 (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGABLE, 0 }, |
166 | 164 |
167 { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_variable, | 165 { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable, |
168 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGABLE, 0 }, | 166 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGABLE, 0 }, |
169 | 167 |
170 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_client_s_dn, | 168 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable, |
171 0, NGX_HTTP_VAR_CHANGABLE, 0 }, | 169 (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGABLE, 0 }, |
172 | 170 |
173 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_client_i_dn, | 171 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable, |
174 0, NGX_HTTP_VAR_CHANGABLE, 0 }, | 172 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGABLE, 0 }, |
173 | |
174 { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable, | |
175 (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGABLE, 0 }, | |
175 | 176 |
176 { ngx_null_string, NULL, NULL, 0, 0, 0 } | 177 { ngx_null_string, NULL, NULL, 0, 0, 0 } |
177 }; | 178 }; |
178 | 179 |
179 | 180 |
180 static u_char ngx_http_session_id_ctx[] = "HTTP"; | 181 static u_char ngx_http_session_id_ctx[] = "HTTP"; |
181 | 182 |
182 | 183 |
183 static ngx_int_t | 184 static ngx_int_t |
184 ngx_http_ssl_variable(ngx_http_request_t *r, | 185 ngx_http_ssl_static_variable(ngx_http_request_t *r, |
185 ngx_http_variable_value_t *v, uintptr_t data) | 186 ngx_http_variable_value_t *v, uintptr_t data) |
186 { | 187 { |
187 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; | 188 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; |
188 | 189 |
189 size_t len; | 190 size_t len; |
190 u_char *name; | |
191 | 191 |
192 if (r->connection->ssl) { | 192 if (r->connection->ssl) { |
193 | 193 |
194 name = handler(r->connection); | 194 (void) handler(r->connection, NULL, (ngx_str_t *) v); |
195 | 195 |
196 for (len = 0; name[len]; len++) { /* void */ } | 196 for (len = 0; v->data[len]; len++) { /* void */ } |
197 | 197 |
198 v->len = len; | 198 v->len = len; |
199 v->valid = 1; | 199 v->valid = 1; |
200 v->no_cachable = 0; | 200 v->no_cachable = 0; |
201 v->not_found = 0; | 201 v->not_found = 0; |
202 v->data = name; | |
203 | 202 |
204 return NGX_OK; | 203 return NGX_OK; |
205 } | 204 } |
206 | 205 |
207 v->not_found = 1; | 206 v->not_found = 1; |
209 return NGX_OK; | 208 return NGX_OK; |
210 } | 209 } |
211 | 210 |
212 | 211 |
213 static ngx_int_t | 212 static ngx_int_t |
214 ngx_http_ssl_client_s_dn(ngx_http_request_t *r, ngx_http_variable_value_t *v, | 213 ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v, |
215 uintptr_t data) | 214 uintptr_t data) |
216 { | 215 { |
216 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; | |
217 | |
217 if (r->connection->ssl) { | 218 if (r->connection->ssl) { |
218 if (ngx_ssl_get_subject_dn(r->connection, r->pool, (ngx_str_t *) v) | 219 if (handler(r->connection, r->pool, (ngx_str_t *) v) != NGX_OK) { |
219 != NGX_OK) | |
220 { | |
221 return NGX_ERROR; | |
222 } | |
223 | |
224 if (v->len) { | |
225 v->valid = 1; | |
226 v->no_cachable = 0; | |
227 v->not_found = 0; | |
228 | |
229 return NGX_OK; | |
230 } | |
231 } | |
232 | |
233 v->not_found = 1; | |
234 | |
235 return NGX_OK; | |
236 } | |
237 | |
238 | |
239 static ngx_int_t | |
240 ngx_http_ssl_client_i_dn(ngx_http_request_t *r, ngx_http_variable_value_t *v, | |
241 uintptr_t data) | |
242 { | |
243 if (r->connection->ssl) { | |
244 if (ngx_ssl_get_issuer_dn(r->connection, r->pool, (ngx_str_t *) v) | |
245 != NGX_OK) | |
246 { | |
247 return NGX_ERROR; | 220 return NGX_ERROR; |
248 } | 221 } |
249 | 222 |
250 if (v->len) { | 223 if (v->len) { |
251 v->valid = 1; | 224 v->valid = 1; |
383 "SSL_CTX_set_cipher_list(\"%V\") failed", | 356 "SSL_CTX_set_cipher_list(\"%V\") failed", |
384 &conf->ciphers); | 357 &conf->ciphers); |
385 } | 358 } |
386 | 359 |
387 if (conf->verify) { | 360 if (conf->verify) { |
388 SSL_CTX_set_verify(conf->ssl.ctx, NGX_SSL_VERIFY, | 361 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
389 ngx_http_ssl_verify_callback); | 362 &conf->client_certificate, conf->verify_depth) |
390 | 363 != NGX_OK) |
391 SSL_CTX_set_verify_depth(conf->ssl.ctx, conf->verify_depth); | 364 { |
392 | 365 return NGX_CONF_ERROR; |
393 if (conf->client_certificate.len) { | |
394 if (ngx_ssl_client_certificate(cf, &conf->ssl, | |
395 &conf->client_certificate) | |
396 != NGX_OK) | |
397 { | |
398 return NGX_CONF_ERROR; | |
399 } | |
400 } | 366 } |
401 } | 367 } |
402 | 368 |
403 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE | 369 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE |
404 | 370 |
422 | 388 |
423 return NGX_CONF_OK; | 389 return NGX_CONF_OK; |
424 } | 390 } |
425 | 391 |
426 | 392 |
427 static int | |
428 ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) | |
429 { | |
430 return 1; | |
431 } | |
432 | |
433 | |
434 #if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE) | 393 #if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE) |
435 | 394 |
436 static char * | 395 static char * |
437 ngx_http_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | 396 ngx_http_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
438 { | 397 { |