comparison src/event/ngx_event_openssl.c @ 578:f3a9e57d2e17

Merge with current.
author Maxim Dounin <mdounin@mdounin.ru>
date Thu, 11 Mar 2010 21:27:17 +0300
parents da3c99095432
children be4f34123024
comparison
equal deleted inserted replaced
539:5f4de8cf0d9d 578:f3a9e57d2e17
13 ngx_uint_t engine; /* unsigned engine:1; */ 13 ngx_uint_t engine; /* unsigned engine:1; */
14 } ngx_openssl_conf_t; 14 } ngx_openssl_conf_t;
15 15
16 16
17 static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); 17 static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
18 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
19 int ret);
18 static void ngx_ssl_handshake_handler(ngx_event_t *ev); 20 static void ngx_ssl_handshake_handler(ngx_event_t *ev);
19 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); 21 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
20 static void ngx_ssl_write_handler(ngx_event_t *wev); 22 static void ngx_ssl_write_handler(ngx_event_t *wev);
21 static void ngx_ssl_read_handler(ngx_event_t *rev); 23 static void ngx_ssl_read_handler(ngx_event_t *rev);
22 static void ngx_ssl_shutdown_handler(ngx_event_t *ev); 24 static void ngx_ssl_shutdown_handler(ngx_event_t *ev);
102 SSL_library_init(); 104 SSL_library_init();
103 SSL_load_error_strings(); 105 SSL_load_error_strings();
104 106
105 ENGINE_load_builtin_engines(); 107 ENGINE_load_builtin_engines();
106 108
109 OpenSSL_add_all_algorithms();
110
107 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); 111 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
108 112
109 if (ngx_ssl_connection_index == -1) { 113 if (ngx_ssl_connection_index == -1) {
110 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed"); 114 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed");
111 return NGX_ERROR; 115 return NGX_ERROR;
172 if (ngx_ssl_protocols[protocols >> 1] != 0) { 176 if (ngx_ssl_protocols[protocols >> 1] != 0) {
173 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); 177 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
174 } 178 }
175 179
176 SSL_CTX_set_read_ahead(ssl->ctx, 1); 180 SSL_CTX_set_read_ahead(ssl->ctx, 1);
181
182 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
177 183
178 return NGX_OK; 184 return NGX_OK;
179 } 185 }
180 186
181 187
345 OPENSSL_free(issuer); 351 OPENSSL_free(issuer);
346 } 352 }
347 #endif 353 #endif
348 354
349 return 1; 355 return 1;
356 }
357
358
359 static void
360 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
361 {
362 ngx_connection_t *c;
363
364 if (where & SSL_CB_HANDSHAKE_START) {
365 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
366
367 if (c->ssl->handshaked) {
368 c->ssl->renegotiation = 1;
369 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
370 }
371 }
350 } 372 }
351 373
352 374
353 ngx_int_t 375 ngx_int_t
354 ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl) 376 ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl)
585 c->recv = ngx_ssl_recv; 607 c->recv = ngx_ssl_recv;
586 c->send = ngx_ssl_write; 608 c->send = ngx_ssl_write;
587 c->recv_chain = ngx_ssl_recv_chain; 609 c->recv_chain = ngx_ssl_recv_chain;
588 c->send_chain = ngx_ssl_send_chain; 610 c->send_chain = ngx_ssl_send_chain;
589 611
612 /* initial handshake done, disable renegotiation (CVE-2009-3555) */
613 if (c->ssl->connection->s3) {
614 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
615 }
616
590 return NGX_OK; 617 return NGX_OK;
591 } 618 }
592 619
593 sslerr = SSL_get_error(c->ssl->connection, n); 620 sslerr = SSL_get_error(c->ssl->connection, n);
594 621
786 static ngx_int_t 813 static ngx_int_t
787 ngx_ssl_handle_recv(ngx_connection_t *c, int n) 814 ngx_ssl_handle_recv(ngx_connection_t *c, int n)
788 { 815 {
789 int sslerr; 816 int sslerr;
790 ngx_err_t err; 817 ngx_err_t err;
818
819 if (c->ssl->renegotiation) {
820 /*
821 * disable renegotiation (CVE-2009-3555):
822 * OpenSSL (at least up to 0.9.8l) does not handle disabled
823 * renegotiation gracefully, so drop connection here
824 */
825
826 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled");
827
828 c->ssl->no_wait_shutdown = 1;
829 c->ssl->no_send_shutdown = 1;
830
831 return NGX_ERROR;
832 }
791 833
792 if (n > 0) { 834 if (n > 0) {
793 835
794 if (c->ssl->saved_write_handler) { 836 if (c->ssl->saved_write_handler) {
795 837
944 send = 0; 986 send = 0;
945 flush = (in == NULL) ? 1 : 0; 987 flush = (in == NULL) ? 1 : 0;
946 988
947 for ( ;; ) { 989 for ( ;; ) {
948 990
949 while (in && buf->last < buf->end) { 991 while (in && buf->last < buf->end && send < limit) {
950 if (in->buf->last_buf || in->buf->flush) { 992 if (in->buf->last_buf || in->buf->flush) {
951 flush = 1; 993 flush = 1;
952 } 994 }
953 995
954 if (ngx_buf_special(in->buf)) { 996 if (ngx_buf_special(in->buf)) {
971 "SSL buf copy: %d", size); 1013 "SSL buf copy: %d", size);
972 1014
973 ngx_memcpy(buf->last, in->buf->pos, size); 1015 ngx_memcpy(buf->last, in->buf->pos, size);
974 1016
975 buf->last += size; 1017 buf->last += size;
976
977 in->buf->pos += size; 1018 in->buf->pos += size;
1019 send += size;
978 1020
979 if (in->buf->pos == in->buf->last) { 1021 if (in->buf->pos == in->buf->last) {
980 in = in->next; 1022 in = in->next;
981 } 1023 }
982 } 1024 }
997 c->buffered |= NGX_SSL_BUFFERED; 1039 c->buffered |= NGX_SSL_BUFFERED;
998 return in; 1040 return in;
999 } 1041 }
1000 1042
1001 buf->pos += n; 1043 buf->pos += n;
1002 send += n;
1003 c->sent += n; 1044 c->sent += n;
1004 1045
1005 if (n < size) { 1046 if (n < size) {
1006 break; 1047 break;
1007 } 1048 }
1267 1308
1268 n = ERR_GET_REASON(ERR_peek_error()); 1309 n = ERR_GET_REASON(ERR_peek_error());
1269 1310
1270 /* handshake failures */ 1311 /* handshake failures */
1271 if (n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ 1312 if (n == SSL_R_DIGEST_CHECK_FAILED /* 149 */
1313 || n == SSL_R_LENGTH_MISMATCH /* 159 */
1272 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ 1314 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */
1315 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */
1273 || n == SSL_R_NO_SHARED_CIPHER /* 193 */ 1316 || n == SSL_R_NO_SHARED_CIPHER /* 193 */
1317 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
1274 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */ 1318 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */
1275 || n == SSL_R_UNEXPECTED_RECORD /* 245 */ 1319 || n == SSL_R_UNEXPECTED_RECORD /* 245 */
1320 || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */
1321 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */
1276 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ 1322 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */
1277 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ 1323 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */
1278 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ 1324 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
1279 || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ 1325 || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */
1280 || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */ 1326 || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */
1382 if (builtin_session_cache == NGX_SSL_NO_SCACHE) { 1428 if (builtin_session_cache == NGX_SSL_NO_SCACHE) {
1383 SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF); 1429 SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF);
1384 return NGX_OK; 1430 return NGX_OK;
1385 } 1431 }
1386 1432
1433 SSL_CTX_set_session_id_context(ssl->ctx, sess_ctx->data, sess_ctx->len);
1434
1387 if (builtin_session_cache == NGX_SSL_NONE_SCACHE) { 1435 if (builtin_session_cache == NGX_SSL_NONE_SCACHE) {
1388 1436
1389 /* 1437 /*
1390 * If the server explicitly says that it does not support 1438 * If the server explicitly says that it does not support
1391 * session reuse (see SSL_SESS_CACHE_OFF above), then 1439 * session reuse (see SSL_SESS_CACHE_OFF above), then
1412 if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) { 1460 if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) {
1413 cache_mode |= SSL_SESS_CACHE_NO_INTERNAL; 1461 cache_mode |= SSL_SESS_CACHE_NO_INTERNAL;
1414 } 1462 }
1415 1463
1416 SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode); 1464 SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode);
1417
1418 SSL_CTX_set_session_id_context(ssl->ctx, sess_ctx->data, sess_ctx->len);
1419 1465
1420 if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) { 1466 if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) {
1421 1467
1422 if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) { 1468 if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) {
1423 SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache); 1469 SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache);
1586 ngx_memcpy(id, sess->session_id, sess->session_id_length); 1632 ngx_memcpy(id, sess->session_id, sess->session_id_length);
1587 1633
1588 hash = ngx_crc32_short(sess->session_id, sess->session_id_length); 1634 hash = ngx_crc32_short(sess->session_id, sess->session_id_length);
1589 1635
1590 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, 1636 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
1591 "http ssl new session: %08XD:%d:%d", 1637 "ssl new session: %08XD:%d:%d",
1592 hash, sess->session_id_length, len); 1638 hash, sess->session_id_length, len);
1593 1639
1594 sess_id->node.key = hash; 1640 sess_id->node.key = hash;
1595 sess_id->node.data = (u_char) sess->session_id_length; 1641 sess_id->node.data = (u_char) sess->session_id_length;
1596 sess_id->id = id; 1642 sess_id->id = id;
1649 1695
1650 hash = ngx_crc32_short(id, (size_t) len); 1696 hash = ngx_crc32_short(id, (size_t) len);
1651 *copy = 0; 1697 *copy = 0;
1652 1698
1653 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, 1699 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
1654 "http ssl get session: %08XD:%d", hash, len); 1700 "ssl get session: %08XD:%d", hash, len);
1655 1701
1656 shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn), 1702 shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn),
1657 ngx_ssl_session_cache_index); 1703 ngx_ssl_session_cache_index);
1658 1704
1659 cache = shm_zone->data; 1705 cache = shm_zone->data;
1763 len = (size_t) sess->session_id_length; 1809 len = (size_t) sess->session_id_length;
1764 1810
1765 hash = ngx_crc32_short(id, len); 1811 hash = ngx_crc32_short(id, len);
1766 1812
1767 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, 1813 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
1768 "http ssl remove session: %08XD:%uz", hash, len); 1814 "ssl remove session: %08XD:%uz", hash, len);
1769 1815
1770 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; 1816 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
1771 1817
1772 ngx_shmtx_lock(&shpool->mutex); 1818 ngx_shmtx_lock(&shpool->mutex);
1773 1819
1927 return NGX_OK; 1973 return NGX_OK;
1928 } 1974 }
1929 1975
1930 1976
1931 ngx_int_t 1977 ngx_int_t
1978 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
1979 {
1980 int len;
1981 u_char *p, *buf;
1982 SSL_SESSION *sess;
1983
1984 sess = SSL_get0_session(c->ssl->connection);
1985
1986 len = i2d_SSL_SESSION(sess, NULL);
1987
1988 buf = ngx_alloc(len, c->log);
1989 if (buf == NULL) {
1990 return NGX_ERROR;
1991 }
1992
1993 s->len = 2 * len;
1994 s->data = ngx_pnalloc(pool, 2 * len);
1995 if (s->data == NULL) {
1996 ngx_free(buf);
1997 return NGX_ERROR;
1998 }
1999
2000 p = buf;
2001 i2d_SSL_SESSION(sess, &p);
2002
2003 ngx_hex_dump(s->data, buf, len);
2004
2005 ngx_free(buf);
2006
2007 return NGX_OK;
2008 }
2009
2010
2011 ngx_int_t
1932 ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) 2012 ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
1933 { 2013 {
1934 size_t len; 2014 size_t len;
1935 BIO *bio; 2015 BIO *bio;
1936 X509 *cert; 2016 X509 *cert;
2235 2315
2236 2316
2237 static void 2317 static void
2238 ngx_openssl_exit(ngx_cycle_t *cycle) 2318 ngx_openssl_exit(ngx_cycle_t *cycle)
2239 { 2319 {
2320 EVP_cleanup();
2240 ENGINE_cleanup(); 2321 ENGINE_cleanup();
2241 } 2322 }