nginx: src/stream/ngx_stream_ssl

annotate src/stream/ngx_stream_ssl_module.c @ 6435:d1c791479bbb

Stream: post first read events from client and upstream. The main proxy function ngx_stream_proxy_process() can terminate the stream session. The code, following it, should check its return code to make sure the session still exists. This happens in client and upstream initialization functions. Swapping ngx_stream_proxy_process() call with the code, that follows it, leaves the same problem vice versa. In future ngx_stream_proxy_process() will call ngx_stream_proxy_next_upstream() making it too complicated to know if stream session still exists after this call. Now ngx_stream_proxy_process() is called from posted event handlers in both places with no code following it. The posted event is automatically removed once session is terminated.

author	Roman Arutyunyan <arut@nginx.com>
date	Tue, 15 Mar 2016 15:55:23 +0300
parents	4b703a5a4631
children	c256dfdd469d

rev	line source
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	2 /*
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	3 * Copyright (C) Igor Sysoev
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	4 * Copyright (C) Nginx, Inc.
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	5 */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	6
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	7
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	8 #include <ngx_config.h>
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	9 #include <ngx_core.h>
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	10 #include <ngx_stream.h>
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	11
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	12
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	13 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	14 #define NGX_DEFAULT_ECDH_CURVE "prime256v1"
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	15
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	16
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	17 static void ngx_stream_ssl_create_conf(ngx_conf_t cf);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	18 static char ngx_stream_ssl_merge_conf(ngx_conf_t cf, void *parent,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	19 void *child);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	20
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	21 static char ngx_stream_ssl_password_file(ngx_conf_t cf, ngx_command_t *cmd,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	22 void *conf);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	23 static char ngx_stream_ssl_session_cache(ngx_conf_t cf, ngx_command_t *cmd,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	24 void *conf);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	25
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	26
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	27 static ngx_conf_bitmask_t ngx_stream_ssl_protocols[] = {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	28 { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	29 { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	30 { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	31 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	32 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	33 { ngx_null_string, 0 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	34 };
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	35
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	36
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	37 static ngx_command_t ngx_stream_ssl_commands[] = {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	38
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	39 { ngx_string("ssl_handshake_timeout"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	40 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	41 ngx_conf_set_msec_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	42 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	43 offsetof(ngx_stream_ssl_conf_t, handshake_timeout),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	44 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	45
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	46 { ngx_string("ssl_certificate"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	47 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	48 ngx_conf_set_str_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	49 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	50 offsetof(ngx_stream_ssl_conf_t, certificate),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	51 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	52
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	53 { ngx_string("ssl_certificate_key"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	54 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	55 ngx_conf_set_str_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	56 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	57 offsetof(ngx_stream_ssl_conf_t, certificate_key),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	58 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	59
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	60 { ngx_string("ssl_password_file"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	61 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	62 ngx_stream_ssl_password_file,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	63 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	64 0,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	65 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	66
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	67 { ngx_string("ssl_dhparam"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	68 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	69 ngx_conf_set_str_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	70 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	71 offsetof(ngx_stream_ssl_conf_t, dhparam),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	72 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	73
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	74 { ngx_string("ssl_ecdh_curve"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	75 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	76 ngx_conf_set_str_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	77 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	78 offsetof(ngx_stream_ssl_conf_t, ecdh_curve),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	79 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	80
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	81 { ngx_string("ssl_protocols"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	82 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_1MORE,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	83 ngx_conf_set_bitmask_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	84 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	85 offsetof(ngx_stream_ssl_conf_t, protocols),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	86 &ngx_stream_ssl_protocols },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	87
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	88 { ngx_string("ssl_ciphers"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	89 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	90 ngx_conf_set_str_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	91 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	92 offsetof(ngx_stream_ssl_conf_t, ciphers),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	93 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	94
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	95 { ngx_string("ssl_prefer_server_ciphers"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	96 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_FLAG,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	97 ngx_conf_set_flag_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	98 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	99 offsetof(ngx_stream_ssl_conf_t, prefer_server_ciphers),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	100 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	101
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	102 { ngx_string("ssl_session_cache"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	103 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE12,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	104 ngx_stream_ssl_session_cache,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	105 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	106 0,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	107 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	108
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	109 { ngx_string("ssl_session_tickets"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	110 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_FLAG,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	111 ngx_conf_set_flag_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	112 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	113 offsetof(ngx_stream_ssl_conf_t, session_tickets),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	114 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	115
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	116 { ngx_string("ssl_session_ticket_key"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	117 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	118 ngx_conf_set_str_array_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	119 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	120 offsetof(ngx_stream_ssl_conf_t, session_ticket_keys),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	121 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	122
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	123 { ngx_string("ssl_session_timeout"),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	124 NGX_STREAM_MAIN_CONF\|NGX_STREAM_SRV_CONF\|NGX_CONF_TAKE1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	125 ngx_conf_set_sec_slot,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	126 NGX_STREAM_SRV_CONF_OFFSET,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	127 offsetof(ngx_stream_ssl_conf_t, session_timeout),
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	128 NULL },
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	129
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	130 ngx_null_command
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	131 };
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	132
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	133
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	134 static ngx_stream_module_t ngx_stream_ssl_module_ctx = {
6174 68c106e6fa0a Stream: added postconfiguration method to stream modules. Vladimir Homutov <vl@nginx.com> parents: 6157 diff changeset	135 NULL, /* postconfiguration */
68c106e6fa0a Stream: added postconfiguration method to stream modules. Vladimir Homutov <vl@nginx.com> parents: 6157 diff changeset	136
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	137 NULL, /* create main configuration */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	138 NULL, /* init main configuration */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	139
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	140 ngx_stream_ssl_create_conf, /* create server configuration */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	141 ngx_stream_ssl_merge_conf /* merge server configuration */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	142 };
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	143
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	144
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	145 ngx_module_t ngx_stream_ssl_module = {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	146 NGX_MODULE_V1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	147 &ngx_stream_ssl_module_ctx, /* module context */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	148 ngx_stream_ssl_commands, /* module directives */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	149 NGX_STREAM_MODULE, /* module type */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	150 NULL, /* init master */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	151 NULL, /* init module */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	152 NULL, /* init process */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	153 NULL, /* init thread */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	154 NULL, /* exit thread */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	155 NULL, /* exit process */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	156 NULL, /* exit master */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	157 NGX_MODULE_V1_PADDING
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	158 };
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	159
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	160
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	161 static ngx_str_t ngx_stream_ssl_sess_id_ctx = ngx_string("STREAM");
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	162
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	163
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	164 static void *
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	165 ngx_stream_ssl_create_conf(ngx_conf_t *cf)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	166 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	167 ngx_stream_ssl_conf_t *scf;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	168
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	169 scf = ngx_pcalloc(cf->pool, sizeof(ngx_stream_ssl_conf_t));
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	170 if (scf == NULL) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	171 return NULL;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	172 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	173
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	174 /*
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	175 * set by ngx_pcalloc():
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	176 *
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	177 * scf->protocols = 0;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	178 * scf->certificate = { 0, NULL };
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	179 * scf->certificate_key = { 0, NULL };
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	180 * scf->dhparam = { 0, NULL };
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	181 * scf->ecdh_curve = { 0, NULL };
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	182 * scf->ciphers = { 0, NULL };
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	183 * scf->shm_zone = NULL;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	184 */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	185
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	186 scf->handshake_timeout = NGX_CONF_UNSET_MSEC;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	187 scf->passwords = NGX_CONF_UNSET_PTR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	188 scf->prefer_server_ciphers = NGX_CONF_UNSET;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	189 scf->builtin_session_cache = NGX_CONF_UNSET;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	190 scf->session_timeout = NGX_CONF_UNSET;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	191 scf->session_tickets = NGX_CONF_UNSET;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	192 scf->session_ticket_keys = NGX_CONF_UNSET_PTR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	193
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	194 return scf;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	195 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	196
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	197
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	198 static char *
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	199 ngx_stream_ssl_merge_conf(ngx_conf_t cf, void parent, void *child)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	200 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	201 ngx_stream_ssl_conf_t *prev = parent;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	202 ngx_stream_ssl_conf_t *conf = child;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	203
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	204 ngx_pool_cleanup_t *cln;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	205
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	206 ngx_conf_merge_msec_value(conf->handshake_timeout,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	207 prev->handshake_timeout, 60000);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	208
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	209 ngx_conf_merge_value(conf->session_timeout,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	210 prev->session_timeout, 300);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	211
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	212 ngx_conf_merge_value(conf->prefer_server_ciphers,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	213 prev->prefer_server_ciphers, 0);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	214
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	215 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
6157 b2899e7d0ef8 Disabled SSLv3 by default (ticket #653). Maxim Dounin <mdounin@mdounin.ru> parents: 6115 diff changeset	216 (NGX_CONF_BITMASK_SET\|NGX_SSL_TLSv1
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	217 \|NGX_SSL_TLSv1_1\|NGX_SSL_TLSv1_2));
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	218
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	219 ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	220 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	221
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	222 ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	223
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	224 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	225
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	226 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	227 NGX_DEFAULT_ECDH_CURVE);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	228
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	229 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	230
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	231
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	232 conf->ssl.log = cf->log;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	233
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	234 if (conf->certificate.len == 0) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	235 return NGX_CONF_OK;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	236 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	237
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	238 if (conf->certificate_key.len == 0) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	239 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	240 "no \"ssl_certificate_key\" is defined "
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	241 "for certificate \"%V\"",
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	242 &conf->certificate);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	243 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	244 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	245
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	246 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	247 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	248 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	249
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	250 cln = ngx_pool_cleanup_add(cf->pool, 0);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	251 if (cln == NULL) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	252 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	253 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	254
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	255 cln->handler = ngx_ssl_cleanup_ctx;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	256 cln->data = &conf->ssl;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	257
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	258 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	259 &conf->certificate_key, conf->passwords)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	260 != NGX_OK)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	261 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	262 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	263 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	264
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	265 if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	266 (const char *) conf->ciphers.data)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	267 == 0)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	268 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	269 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	270 "SSL_CTX_set_cipher_list(\"%V\") failed",
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	271 &conf->ciphers);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	272 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	273 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	274
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	275 if (conf->prefer_server_ciphers) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	276 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	277 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	278
6199 4b703a5a4631 Stream: avoid SSL_CTX_set_tmp_rsa_callback() call with LibreSSL. Piotr Sikora <piotr@cloudflare.com> parents: 6174 diff changeset	279 #ifndef LIBRESSL_VERSION_NUMBER
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	280 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
6199 4b703a5a4631 Stream: avoid SSL_CTX_set_tmp_rsa_callback() call with LibreSSL. Piotr Sikora <piotr@cloudflare.com> parents: 6174 diff changeset	281 #endif
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	282
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	283 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	284 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	285 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	286
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	287 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	288 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	289 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	290
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	291 ngx_conf_merge_value(conf->builtin_session_cache,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	292 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	293
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	294 if (conf->shm_zone == NULL) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	295 conf->shm_zone = prev->shm_zone;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	296 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	297
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	298 if (ngx_ssl_session_cache(&conf->ssl, &ngx_stream_ssl_sess_id_ctx,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	299 conf->builtin_session_cache,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	300 conf->shm_zone, conf->session_timeout)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	301 != NGX_OK)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	302 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	303 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	304 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	305
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	306 ngx_conf_merge_value(conf->session_tickets,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	307 prev->session_tickets, 1);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	308
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	309 #ifdef SSL_OP_NO_TICKET
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	310 if (!conf->session_tickets) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	311 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	312 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	313 #endif
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	314
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	315 ngx_conf_merge_ptr_value(conf->session_ticket_keys,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	316 prev->session_ticket_keys, NULL);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	317
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	318 if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	319 != NGX_OK)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	320 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	321 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	322 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	323
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	324 return NGX_CONF_OK;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	325 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	326
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	327
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	328 static char *
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	329 ngx_stream_ssl_password_file(ngx_conf_t cf, ngx_command_t cmd, void *conf)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	330 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	331 ngx_stream_ssl_conf_t *scf = conf;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	332
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	333 ngx_str_t *value;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	334
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	335 if (scf->passwords != NGX_CONF_UNSET_PTR) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	336 return "is duplicate";
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	337 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	338
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	339 value = cf->args->elts;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	340
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	341 scf->passwords = ngx_ssl_read_password_file(cf, &value[1]);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	342
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	343 if (scf->passwords == NULL) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	344 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	345 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	346
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	347 return NGX_CONF_OK;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	348 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	349
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	350
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	351 static char *
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	352 ngx_stream_ssl_session_cache(ngx_conf_t cf, ngx_command_t cmd, void *conf)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	353 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	354 ngx_stream_ssl_conf_t *scf = conf;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	355
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	356 size_t len;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	357 ngx_str_t *value, name, size;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	358 ngx_int_t n;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	359 ngx_uint_t i, j;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	360
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	361 value = cf->args->elts;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	362
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	363 for (i = 1; i < cf->args->nelts; i++) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	364
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	365 if (ngx_strcmp(value[i].data, "off") == 0) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	366 scf->builtin_session_cache = NGX_SSL_NO_SCACHE;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	367 continue;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	368 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	369
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	370 if (ngx_strcmp(value[i].data, "none") == 0) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	371 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	372 continue;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	373 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	374
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	375 if (ngx_strcmp(value[i].data, "builtin") == 0) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	376 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	377 continue;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	378 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	379
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	380 if (value[i].len > sizeof("builtin:") - 1
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	381 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	382 == 0)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	383 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	384 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	385 value[i].len - (sizeof("builtin:") - 1));
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	386
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	387 if (n == NGX_ERROR) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	388 goto invalid;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	389 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	390
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	391 scf->builtin_session_cache = n;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	392
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	393 continue;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	394 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	395
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	396 if (value[i].len > sizeof("shared:") - 1
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	397 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	398 == 0)
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	399 {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	400 len = 0;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	401
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	402 for (j = sizeof("shared:") - 1; j < value[i].len; j++) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	403 if (value[i].data[j] == ':') {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	404 break;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	405 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	406
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	407 len++;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	408 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	409
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	410 if (len == 0) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	411 goto invalid;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	412 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	413
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	414 name.len = len;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	415 name.data = value[i].data + sizeof("shared:") - 1;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	416
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	417 size.len = value[i].len - j - 1;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	418 size.data = name.data + len + 1;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	419
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	420 n = ngx_parse_size(&size);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	421
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	422 if (n == NGX_ERROR) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	423 goto invalid;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	424 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	425
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	426 if (n < (ngx_int_t) (8 * ngx_pagesize)) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	427 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	428 "session cache \"%V\" is too small",
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	429 &value[i]);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	430
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	431 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	432 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	433
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	434 scf->shm_zone = ngx_shared_memory_add(cf, &name, n,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	435 &ngx_stream_ssl_module);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	436 if (scf->shm_zone == NULL) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	437 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	438 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	439
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	440 scf->shm_zone->init = ngx_ssl_session_cache_init;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	441
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	442 continue;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	443 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	444
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	445 goto invalid;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	446 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	447
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	448 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	449 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	450 }
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	451
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	452 return NGX_CONF_OK;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	453
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	454 invalid:
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	455
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	456 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	457 "invalid session cache \"%V\"", &value[i]);
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	458
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	459 return NGX_CONF_ERROR;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	460 }

Mercurial > hg > nginx

annotate src/stream/ngx_stream_ssl_module.c @ 6435:d1c791479bbb