Mercurial > hg > nginx
annotate src/event/ngx_event_openssl.h @ 4904:c3b276283e4a stable-1.2
Merge of r4885: ssl_verify_client optional_no_ca.
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.
Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).
Patch by Mike Kazantsev, Eric O'Connor.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 13 Nov 2012 10:42:16 +0000 |
| parents | d620f497c50f |
| children |
| rev | line source |
|---|---|
|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1 |
|
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2 /* |
|
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
| 4412 | 4 * Copyright (C) Nginx, Inc. |
|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
5 */ |
|
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
6 |
|
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
7 |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #ifndef _NGX_EVENT_OPENSSL_H_INCLUDED_ |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #define _NGX_EVENT_OPENSSL_H_INCLUDED_ |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
12 #include <ngx_config.h> |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
13 #include <ngx_core.h> |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
14 |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
15 #include <openssl/ssl.h> |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
16 #include <openssl/err.h> |
| 968 | 17 #include <openssl/conf.h> |
| 541 | 18 #include <openssl/engine.h> |
|
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3300
diff
changeset
|
19 #include <openssl/evp.h> |
| 541 | 20 |
| 547 | 21 #define NGX_SSL_NAME "OpenSSL" |
| 22 | |
| 23 | |
| 671 | 24 #define ngx_ssl_session_t SSL_SESSION |
| 25 #define ngx_ssl_conn_t SSL | |
| 26 | |
| 27 | |
| 547 | 28 typedef struct { |
| 29 SSL_CTX *ctx; | |
| 30 ngx_log_t *log; | |
| 31 } ngx_ssl_t; | |
| 541 | 32 |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
33 |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
34 typedef struct { |
| 671 | 35 ngx_ssl_conn_t *connection; |
| 647 | 36 |
| 547 | 37 ngx_int_t last; |
| 38 ngx_buf_t *buf; | |
| 39 | |
| 40 ngx_connection_handler_pt handler; | |
|
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
41 |
| 547 | 42 ngx_event_handler_pt saved_read_handler; |
| 43 ngx_event_handler_pt saved_write_handler; | |
| 479 | 44 |
| 547 | 45 unsigned handshaked:1; |
|
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3154
diff
changeset
|
46 unsigned renegotiation:1; |
| 547 | 47 unsigned buffer:1; |
| 48 unsigned no_wait_shutdown:1; | |
| 49 unsigned no_send_shutdown:1; | |
| 50 } ngx_ssl_connection_t; | |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
51 |
|
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
52 |
| 2032 | 53 #define NGX_SSL_NO_SCACHE -2 |
| 54 #define NGX_SSL_NONE_SCACHE -3 | |
| 55 #define NGX_SSL_NO_BUILTIN_SCACHE -4 | |
| 56 #define NGX_SSL_DFLT_BUILTIN_SCACHE -5 | |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
57 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
58 |
| 1778 | 59 #define NGX_SSL_MAX_SESSION_SIZE 4096 |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
60 |
|
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
974
diff
changeset
|
61 typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
62 |
|
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
974
diff
changeset
|
63 struct ngx_ssl_sess_id_s { |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
64 ngx_rbtree_node_t node; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
65 u_char *id; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
66 size_t len; |
|
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
974
diff
changeset
|
67 u_char *session; |
| 1760 | 68 ngx_queue_t queue; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
69 time_t expire; |
|
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
70 #if (NGX_PTR_SIZE == 8) |
|
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
71 void *stub; |
|
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
72 u_char sess_id[32]; |
|
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
73 #endif |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
74 }; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
75 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
76 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
77 typedef struct { |
|
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1017
diff
changeset
|
78 ngx_rbtree_t session_rbtree; |
|
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1017
diff
changeset
|
79 ngx_rbtree_node_t sentinel; |
| 1760 | 80 ngx_queue_t expire_queue; |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
81 } ngx_ssl_session_cache_t; |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
82 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
83 |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
84 |
|
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
85 #define NGX_SSL_SSLv2 0x0002 |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
86 #define NGX_SSL_SSLv3 0x0004 |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
87 #define NGX_SSL_TLSv1 0x0008 |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
88 #define NGX_SSL_TLSv1_1 0x0010 |
|
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
89 #define NGX_SSL_TLSv1_2 0x0020 |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
90 |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
91 |
| 547 | 92 #define NGX_SSL_BUFFER 1 |
| 577 | 93 #define NGX_SSL_CLIENT 2 |
|
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
94 |
| 547 | 95 #define NGX_SSL_BUFSIZE 16384 |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
96 |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
97 |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
98 ngx_int_t ngx_ssl_init(ngx_log_t *log); |
| 969 | 99 ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data); |
| 563 | 100 ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
| 101 ngx_str_t *cert, ngx_str_t *key); | |
| 647 | 102 ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
| 671 | 103 ngx_str_t *cert, ngx_int_t depth); |
| 2995 | 104 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); |
|
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3464
diff
changeset
|
105 RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length); |
| 2044 | 106 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); |
| 3960 | 107 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
108 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
|
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
109 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); |
|
3992
a1dd9dc754ab
A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
110 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); |
| 547 | 111 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, |
| 543 | 112 ngx_uint_t flags); |
| 577 | 113 |
|
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
114 void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); |
| 577 | 115 ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session); |
| 611 | 116 #define ngx_ssl_get_session(c) SSL_get1_session(c->ssl->connection) |
| 117 #define ngx_ssl_free_session SSL_SESSION_free | |
| 969 | 118 #define ngx_ssl_get_connection(ssl_conn) \ |
| 119 SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index) | |
| 120 #define ngx_ssl_get_server_conf(ssl_ctx) \ | |
| 121 SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index) | |
| 611 | 122 |
|
4904
c3b276283e4a
Merge of r4885: ssl_verify_client optional_no_ca.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
123 #define ngx_ssl_verify_error_optional(n) \ |
|
c3b276283e4a
Merge of r4885: ssl_verify_client optional_no_ca.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
124 (n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT \ |
|
c3b276283e4a
Merge of r4885: ssl_verify_client optional_no_ca.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
125 || n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN \ |
|
c3b276283e4a
Merge of r4885: ssl_verify_client optional_no_ca.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
126 || n == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY \ |
|
c3b276283e4a
Merge of r4885: ssl_verify_client optional_no_ca.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
127 || n == X509_V_ERR_CERT_UNTRUSTED \ |
|
c3b276283e4a
Merge of r4885: ssl_verify_client optional_no_ca.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
128 || n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) |
|
c3b276283e4a
Merge of r4885: ssl_verify_client optional_no_ca.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
129 |
| 611 | 130 |
| 671 | 131 ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, |
| 132 ngx_str_t *s); | |
| 133 ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, | |
| 134 ngx_str_t *s); | |
| 3154 | 135 ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, |
| 136 ngx_str_t *s); | |
| 2123 | 137 ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
| 138 ngx_str_t *s); | |
| 2045 | 139 ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
| 140 ngx_str_t *s); | |
| 647 | 141 ngx_int_t ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, |
| 142 ngx_str_t *s); | |
| 143 ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, | |
| 144 ngx_str_t *s); | |
| 671 | 145 ngx_int_t ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, |
| 146 ngx_str_t *s); | |
| 2994 | 147 ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, |
| 148 ngx_str_t *s); | |
| 671 | 149 |
| 647 | 150 |
| 547 | 151 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); |
| 469 | 152 ssize_t ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size); |
| 539 | 153 ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size); |
| 577 | 154 ssize_t ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl); |
|
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
155 ngx_chain_t *ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, |
| 489 | 156 off_t limit); |
|
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
157 void ngx_ssl_free_buffer(ngx_connection_t *c); |
|
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
158 ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c); |
| 583 | 159 void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, |
| 489 | 160 char *fmt, ...); |
| 509 | 161 void ngx_ssl_cleanup_ctx(void *data); |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
162 |
|
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
163 |
| 969 | 164 extern int ngx_ssl_connection_index; |
| 165 extern int ngx_ssl_server_conf_index; | |
|
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
166 extern int ngx_ssl_session_cache_index; |
| 671 | 167 |
| 168 | |
|
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
169 #endif /* _NGX_EVENT_OPENSSL_H_INCLUDED_ */ |