Mercurial > hg > nginx-vendor-current

comparison src/event/ngx_event_openssl.c @ 632:5b73504dd4ba NGINX_1_1_0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx 1.1.0 *) Feature: cache loader run time decrease. *) Feature: "loader_files", "loader_sleep", and "loader_threshold" options of the "proxy/fastcgi/scgi/uwsgi_cache_path" directives. *) Feature: loading time decrease of configuration with large number of HTTPS sites. *) Feature: now nginx supports ECDHE key exchange ciphers. Thanks to Adrian Kotelba. *) Feature: the "lingering_close" directive. Thanks to Maxim Dounin. *) Bugfix: in closing connection for pipelined requests. Thanks to Maxim Dounin. *) Bugfix: nginx did not disable gzipping if client sent "gzip;q=0" in "Accept-Encoding" request header line. *) Bugfix: in timeout in unbuffered proxied mode. Thanks to Maxim Dounin. *) Bugfix: memory leaks when a "proxy_pass" directive contains variables and proxies to an HTTPS backend. Thanks to Maxim Dounin. *) Bugfix: in parameter validaiton of a "proxy_pass" directive with variables. Thanks to Lanshun Zhou. *) Bugfix: SSL did not work on QNX. Thanks to Maxim Dounin. *) Bugfix: SSL modules could not be built by gcc 4.6 without --with-debug option.
author Igor Sysoev <http://sysoev.ru>
date Mon, 01 Aug 2011 00:00:00 +0400
parents ce857f6b74a7
children 23ef0645ea57
comparison
equal deleted inserted replaced
631:9b978fa3cd33 632:5b73504dd4ba
369 } 369 }
370 } 370 }
371 } 371 }
372 372
373 373
374 ngx_int_t 374 RSA *
375 ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl) 375 ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length)
376 { 376 {
377 RSA *key; 377 static RSA *key;
378 378
379 if (SSL_CTX_need_tmp_RSA(ssl->ctx) == 0) { 379 if (key_length == 512) {
380 return NGX_OK; 380 if (key == NULL) {
381 } 381 key = RSA_generate_key(512, RSA_F4, NULL, NULL);
382 382 }
383 key = RSA_generate_key(512, RSA_F4, NULL, NULL); 383 }
384 384
385 if (key) { 385 return key;
386 SSL_CTX_set_tmp_rsa(ssl->ctx, key);
387
388 RSA_free(key);
389
390 return NGX_OK;
391 }
392
393 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "RSA_generate_key(512) failed");
394
395 return NGX_ERROR;
396 } 386 }
397 387
398 388
399 ngx_int_t 389 ngx_int_t
400 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) 390 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
476 BIO_free(bio); 466 BIO_free(bio);
477 467
478 return NGX_OK; 468 return NGX_OK;
479 } 469 }
480 470
471 ngx_int_t
472 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)
473 {
474 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
475 #ifndef OPENSSL_NO_ECDH
476 int nid;
477 EC_KEY *ecdh;
478
479 /*
480 * Elliptic-Curve Diffie-Hellman parameters are either "named curves"
481 * from RFC 4492 section 5.1.1, or explicitely described curves over
482 * binary fields. OpenSSL only supports the "named curves", which provide
483 * maximum interoperability.
484 */
485
486 nid = OBJ_sn2nid((const char *) name->data);
487 if (nid == 0) {
488 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
489 "Unknown curve name \"%s\"", name->data);
490 return NGX_ERROR;
491 }
492
493 ecdh = EC_KEY_new_by_curve_name(nid);
494 if (ecdh == NULL) {
495 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
496 "Unable to create curve \"%s\"", name->data);
497 return NGX_ERROR;
498 }
499
500 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh);
501
502 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
503
504 EC_KEY_free(ecdh);
505 #endif
506 #endif
507
508 return NGX_OK;
509 }
481 510
482 ngx_int_t 511 ngx_int_t
483 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) 512 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
484 { 513 {
485 ngx_ssl_connection_t *sc; 514 ngx_ssl_connection_t *sc;
955 984
956 return in; 985 return in;
957 } 986 }
958 987
959 988
960 /* the maximum limit size is the maximum uint32_t value - the page size */ 989 /* the maximum limit size is the maximum int32_t value - the page size */
961 990
962 if (limit == 0 || limit > (off_t) (NGX_MAX_UINT32_VALUE - ngx_pagesize)) { 991 if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) {
963 limit = NGX_MAX_UINT32_VALUE - ngx_pagesize; 992 limit = NGX_MAX_INT32_VALUE - ngx_pagesize;
964 } 993 }
965 994
966 buf = c->ssl->buf; 995 buf = c->ssl->buf;
967 996
968 if (buf == NULL) { 997 if (buf == NULL) {
1685 u_char *p; 1714 u_char *p;
1686 uint32_t hash; 1715 uint32_t hash;
1687 ngx_int_t rc; 1716 ngx_int_t rc;
1688 ngx_shm_zone_t *shm_zone; 1717 ngx_shm_zone_t *shm_zone;
1689 ngx_slab_pool_t *shpool; 1718 ngx_slab_pool_t *shpool;
1690 ngx_connection_t *c;
1691 ngx_rbtree_node_t *node, *sentinel; 1719 ngx_rbtree_node_t *node, *sentinel;
1692 ngx_ssl_session_t *sess; 1720 ngx_ssl_session_t *sess;
1693 ngx_ssl_sess_id_t *sess_id; 1721 ngx_ssl_sess_id_t *sess_id;
1694 ngx_ssl_session_cache_t *cache; 1722 ngx_ssl_session_cache_t *cache;
1695 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; 1723 u_char buf[NGX_SSL_MAX_SESSION_SIZE];
1696 1724 #if (NGX_DEBUG)
1697 c = ngx_ssl_get_connection(ssl_conn); 1725 ngx_connection_t *c;
1726 #endif
1698 1727
1699 hash = ngx_crc32_short(id, (size_t) len); 1728 hash = ngx_crc32_short(id, (size_t) len);
1700 *copy = 0; 1729 *copy = 0;
1701 1730
1731 #if (NGX_DEBUG)
1732 c = ngx_ssl_get_connection(ssl_conn);
1733
1702 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, 1734 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
1703 "ssl get session: %08XD:%d", hash, len); 1735 "ssl get session: %08XD:%d", hash, len);
1736 #endif
1704 1737
1705 shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn), 1738 shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn),
1706 ngx_ssl_session_cache_index); 1739 ngx_ssl_session_cache_index);
1707 1740
1708 cache = shm_zone->data; 1741 cache = shm_zone->data;