Mercurial > hg > nginx
annotate src/http/modules/ngx_http_secure_link_module.c @ 6982:ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
CVE-2009-3555 is no longer relevant and mitigated by the renegotiation
info extension (secure renegotiation). On the other hand, unexpected
renegotiation still introduces potential security risks, and hence we do
not allow renegotiation on the server side, as we never request renegotiation.
On the client side the situation is different though. There are backends
which explicitly request renegotiation, and disabled renegotiation
introduces interoperability problems. This change allows renegotiation
on the client side, and fixes interoperability problems as observed with
such backends (ticket #872).
Additionally, with TLSv1.3 the SSL_CB_HANDSHAKE_START flag is currently set
by OpenSSL when receiving a NewSessionTicket message, and was detected by
nginx as a renegotiation attempt. This looks like a bug in OpenSSL, though
this change also allows better interoperability till the problem is fixed.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 18 Apr 2017 16:08:44 +0300 |
parents | d89442dab4d1 |
children | c7d4017c8876 |
rev | line source |
---|---|
2260 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
2260 | 5 */ |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 #include <ngx_http.h> | |
11 #include <ngx_md5.h> | |
12 | |
13 | |
14 typedef struct { | |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
15 ngx_http_complex_value_t *variable; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
16 ngx_http_complex_value_t *md5; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
17 ngx_str_t secret; |
2260 | 18 } ngx_http_secure_link_conf_t; |
19 | |
20 | |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
21 typedef struct { |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
22 ngx_str_t expires; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
23 } ngx_http_secure_link_ctx_t; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
24 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
25 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
26 static ngx_int_t ngx_http_secure_link_old_variable(ngx_http_request_t *r, |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
27 ngx_http_secure_link_conf_t *conf, ngx_http_variable_value_t *v, |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
28 uintptr_t data); |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
29 static ngx_int_t ngx_http_secure_link_expires_variable(ngx_http_request_t *r, |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
30 ngx_http_variable_value_t *v, uintptr_t data); |
2260 | 31 static void *ngx_http_secure_link_create_conf(ngx_conf_t *cf); |
32 static char *ngx_http_secure_link_merge_conf(ngx_conf_t *cf, void *parent, | |
33 void *child); | |
34 static ngx_int_t ngx_http_secure_link_add_variables(ngx_conf_t *cf); | |
35 | |
36 | |
37 static ngx_command_t ngx_http_secure_link_commands[] = { | |
38 | |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
39 { ngx_string("secure_link"), |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
40 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, |
3761 | 41 ngx_http_set_complex_value_slot, |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
42 NGX_HTTP_LOC_CONF_OFFSET, |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
43 offsetof(ngx_http_secure_link_conf_t, variable), |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
44 NULL }, |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
45 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
46 { ngx_string("secure_link_md5"), |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
47 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, |
3761 | 48 ngx_http_set_complex_value_slot, |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
49 NGX_HTTP_LOC_CONF_OFFSET, |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
50 offsetof(ngx_http_secure_link_conf_t, md5), |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
51 NULL }, |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
52 |
2260 | 53 { ngx_string("secure_link_secret"), |
54 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, | |
55 ngx_conf_set_str_slot, | |
56 NGX_HTTP_LOC_CONF_OFFSET, | |
57 offsetof(ngx_http_secure_link_conf_t, secret), | |
58 NULL }, | |
59 | |
60 ngx_null_command | |
61 }; | |
62 | |
63 | |
64 static ngx_http_module_t ngx_http_secure_link_module_ctx = { | |
65 ngx_http_secure_link_add_variables, /* preconfiguration */ | |
66 NULL, /* postconfiguration */ | |
67 | |
68 NULL, /* create main configuration */ | |
69 NULL, /* init main configuration */ | |
70 | |
71 NULL, /* create server configuration */ | |
72 NULL, /* merge server configuration */ | |
73 | |
74 ngx_http_secure_link_create_conf, /* create location configuration */ | |
75 ngx_http_secure_link_merge_conf /* merge location configuration */ | |
76 }; | |
77 | |
78 | |
79 ngx_module_t ngx_http_secure_link_module = { | |
80 NGX_MODULE_V1, | |
81 &ngx_http_secure_link_module_ctx, /* module context */ | |
82 ngx_http_secure_link_commands, /* module directives */ | |
83 NGX_HTTP_MODULE, /* module type */ | |
84 NULL, /* init master */ | |
85 NULL, /* init module */ | |
86 NULL, /* init process */ | |
87 NULL, /* init thread */ | |
88 NULL, /* exit thread */ | |
89 NULL, /* exit process */ | |
90 NULL, /* exit master */ | |
91 NGX_MODULE_V1_PADDING | |
92 }; | |
93 | |
94 | |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
95 static ngx_str_t ngx_http_secure_link_name = ngx_string("secure_link"); |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
96 static ngx_str_t ngx_http_secure_link_expires_name = |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
97 ngx_string("secure_link_expires"); |
2260 | 98 |
99 | |
100 static ngx_int_t | |
101 ngx_http_secure_link_variable(ngx_http_request_t *r, | |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
102 ngx_http_variable_value_t *v, uintptr_t data) |
2260 | 103 { |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
104 u_char *p, *last; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
105 ngx_str_t val, hash; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
106 time_t expires; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
107 ngx_md5_t md5; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
108 ngx_http_secure_link_ctx_t *ctx; |
2260 | 109 ngx_http_secure_link_conf_t *conf; |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
110 u_char hash_buf[16], md5_buf[16]; |
2260 | 111 |
112 conf = ngx_http_get_module_loc_conf(r, ngx_http_secure_link_module); | |
113 | |
5017
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
114 if (conf->secret.data) { |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
115 return ngx_http_secure_link_old_variable(r, conf, v, data); |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
116 } |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
117 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
118 if (conf->variable == NULL || conf->md5 == NULL) { |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
119 goto not_found; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
120 } |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
121 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
122 if (ngx_http_complex_value(r, conf->variable, &val) != NGX_OK) { |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
123 return NGX_ERROR; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
124 } |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
125 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
126 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
127 "secure link: \"%V\"", &val); |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
128 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
129 last = val.data + val.len; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
130 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
131 p = ngx_strlchr(val.data, last, ','); |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
132 expires = 0; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
133 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
134 if (p) { |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
135 val.len = p++ - val.data; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
136 |
3760
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
137 expires = ngx_atotm(p, last - p); |
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
138 if (expires <= 0) { |
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
139 goto not_found; |
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
140 } |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
141 |
3760
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
142 ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_secure_link_ctx_t)); |
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
143 if (ctx == NULL) { |
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
144 return NGX_ERROR; |
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
145 } |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
146 |
3760
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
147 ngx_http_set_ctx(r, ctx, ngx_http_secure_link_module); |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
148 |
3760
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
149 ctx->expires.len = last - p; |
38f74d11e5bd
discard "secure_link_expires on|off"
Igor Sysoev <igor@sysoev.ru>
parents:
3756
diff
changeset
|
150 ctx->expires.data = p; |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
151 } |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
152 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
153 if (val.len > 24) { |
2260 | 154 goto not_found; |
155 } | |
156 | |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
157 hash.len = 16; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
158 hash.data = hash_buf; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
159 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
160 if (ngx_decode_base64url(&hash, &val) != NGX_OK) { |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
161 goto not_found; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
162 } |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
163 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
164 if (hash.len != 16) { |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
165 goto not_found; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
166 } |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
167 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
168 if (ngx_http_complex_value(r, conf->md5, &val) != NGX_OK) { |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
169 return NGX_ERROR; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
170 } |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
171 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
172 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
173 "secure link md5: \"%V\"", &val); |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
174 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
175 ngx_md5_init(&md5); |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
176 ngx_md5_update(&md5, val.data, val.len); |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
177 ngx_md5_final(md5_buf, &md5); |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
178 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
179 if (ngx_memcmp(hash_buf, md5_buf, 16) != 0) { |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
180 goto not_found; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
181 } |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
182 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
183 v->data = (u_char *) ((expires && expires < ngx_time()) ? "0" : "1"); |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
184 v->len = 1; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
185 v->valid = 1; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
186 v->no_cacheable = 0; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
187 v->not_found = 0; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
188 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
189 return NGX_OK; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
190 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
191 not_found: |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
192 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
193 v->not_found = 1; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
194 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
195 return NGX_OK; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
196 } |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
197 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
198 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
199 static ngx_int_t |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
200 ngx_http_secure_link_old_variable(ngx_http_request_t *r, |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
201 ngx_http_secure_link_conf_t *conf, ngx_http_variable_value_t *v, |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
202 uintptr_t data) |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
203 { |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
204 u_char *p, *start, *end, *last; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
205 size_t len; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
206 ngx_int_t n; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
207 ngx_uint_t i; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
208 ngx_md5_t md5; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
209 u_char hash[16]; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
210 |
2260 | 211 p = &r->unparsed_uri.data[1]; |
212 last = r->unparsed_uri.data + r->unparsed_uri.len; | |
213 | |
214 while (p < last) { | |
215 if (*p++ == '/') { | |
216 start = p; | |
217 goto md5_start; | |
218 } | |
219 } | |
220 | |
221 goto not_found; | |
222 | |
223 md5_start: | |
224 | |
225 while (p < last) { | |
226 if (*p++ == '/') { | |
227 end = p - 1; | |
228 goto url_start; | |
229 } | |
230 } | |
231 | |
232 goto not_found; | |
233 | |
234 url_start: | |
235 | |
236 len = last - p; | |
237 | |
2279 | 238 if (end - start != 32 || len == 0) { |
2260 | 239 goto not_found; |
240 } | |
241 | |
242 ngx_md5_init(&md5); | |
243 ngx_md5_update(&md5, p, len); | |
244 ngx_md5_update(&md5, conf->secret.data, conf->secret.len); | |
245 ngx_md5_final(hash, &md5); | |
246 | |
247 for (i = 0; i < 16; i++) { | |
248 n = ngx_hextoi(&start[2 * i], 2); | |
249 if (n == NGX_ERROR || n != hash[i]) { | |
250 goto not_found; | |
251 } | |
252 } | |
253 | |
254 v->len = len; | |
255 v->valid = 1; | |
256 v->no_cacheable = 0; | |
257 v->not_found = 0; | |
258 v->data = p; | |
259 | |
260 return NGX_OK; | |
261 | |
262 not_found: | |
263 | |
264 v->not_found = 1; | |
265 | |
266 return NGX_OK; | |
267 } | |
268 | |
269 | |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
270 static ngx_int_t |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
271 ngx_http_secure_link_expires_variable(ngx_http_request_t *r, |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
272 ngx_http_variable_value_t *v, uintptr_t data) |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
273 { |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
274 ngx_http_secure_link_ctx_t *ctx; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
275 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
276 ctx = ngx_http_get_module_ctx(r, ngx_http_secure_link_module); |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
277 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
278 if (ctx) { |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
279 v->len = ctx->expires.len; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
280 v->valid = 1; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
281 v->no_cacheable = 0; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
282 v->not_found = 0; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
283 v->data = ctx->expires.data; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
284 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
285 } else { |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
286 v->not_found = 1; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
287 } |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
288 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
289 return NGX_OK; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
290 } |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
291 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
292 |
2260 | 293 static void * |
294 ngx_http_secure_link_create_conf(ngx_conf_t *cf) | |
295 { | |
296 ngx_http_secure_link_conf_t *conf; | |
297 | |
298 conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_secure_link_conf_t)); | |
299 if (conf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2279
diff
changeset
|
300 return NULL; |
2260 | 301 } |
302 | |
303 /* | |
304 * set by ngx_pcalloc(): | |
305 * | |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
306 * conf->variable = NULL; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
307 * conf->md5 = NULL; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
308 * conf->secret = { 0, NULL }; |
2260 | 309 */ |
310 | |
311 return conf; | |
312 } | |
313 | |
314 | |
315 static char * | |
316 ngx_http_secure_link_merge_conf(ngx_conf_t *cf, void *parent, void *child) | |
317 { | |
318 ngx_http_secure_link_conf_t *prev = parent; | |
319 ngx_http_secure_link_conf_t *conf = child; | |
320 | |
5017
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
321 if (conf->secret.data) { |
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
322 if (conf->variable || conf->md5) { |
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
323 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
324 "\"secure_link_secret\" cannot be mixed with " |
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
325 "\"secure_link\" and \"secure_link_md5\""); |
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
326 return NGX_CONF_ERROR; |
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
327 } |
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
328 |
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
329 return NGX_CONF_OK; |
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
330 } |
2260 | 331 |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
332 if (conf->variable == NULL) { |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
333 conf->variable = prev->variable; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
334 } |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
335 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
336 if (conf->md5 == NULL) { |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
337 conf->md5 = prev->md5; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
338 } |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
339 |
5017
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
340 if (conf->variable == NULL && conf->md5 == NULL) { |
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
341 conf->secret = prev->secret; |
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
342 } |
d89442dab4d1
Secure_link: fixed configuration inheritance.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
343 |
2260 | 344 return NGX_CONF_OK; |
345 } | |
346 | |
347 | |
348 static ngx_int_t | |
349 ngx_http_secure_link_add_variables(ngx_conf_t *cf) | |
350 { | |
351 ngx_http_variable_t *var; | |
352 | |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
353 var = ngx_http_add_variable(cf, &ngx_http_secure_link_name, 0); |
2260 | 354 if (var == NULL) { |
355 return NGX_ERROR; | |
356 } | |
357 | |
358 var->get_handler = ngx_http_secure_link_variable; | |
359 | |
3756
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
360 var = ngx_http_add_variable(cf, &ngx_http_secure_link_expires_name, 0); |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
361 if (var == NULL) { |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
362 return NGX_ERROR; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
363 } |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
364 |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
365 var->get_handler = ngx_http_secure_link_expires_variable; |
7224d008faaf
new ngx_http_secure_link_module with secure_link, secure_link_md5, and
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
366 |
2260 | 367 return NGX_OK; |
368 } |