Mercurial > hg > nginx

comparison src/stream/ngx_stream_ssl_module.c @ 8889:61d0fa67b55e quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merged with the default branch.
author Sergey Kandaurov <pluknet@nginx.com>
date Wed, 03 Nov 2021 11:22:07 +0300
parents a550d4fa3581 46a02ed7c966
children 5c86189a1c1b
comparison
equal deleted inserted replaced
8888:6d1488b62dc5 8889:61d0fa67b55e
21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); 21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s);
22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, 22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl,
23 ngx_connection_t *c); 23 ngx_connection_t *c);
24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); 24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c);
25 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 25 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
26 int ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg); 26 static int ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad,
27 void *arg);
28 #endif
29 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
30 static int ngx_stream_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
31 const unsigned char **out, unsigned char *outlen,
32 const unsigned char *in, unsigned int inlen, void *arg);
27 #endif 33 #endif
28 #ifdef SSL_R_CERT_CB_ERROR 34 #ifdef SSL_R_CERT_CB_ERROR
29 static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg); 35 static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg);
30 #endif 36 #endif
31 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s, 37 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s,
42 ngx_stream_ssl_conf_t *conf); 48 ngx_stream_ssl_conf_t *conf);
43 49
44 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, 50 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
45 void *conf); 51 void *conf);
46 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, 52 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
53 void *conf);
54 static char *ngx_stream_ssl_alpn(ngx_conf_t *cf, ngx_command_t *cmd,
47 void *conf); 55 void *conf);
48 56
49 static char *ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, 57 static char *ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post,
50 void *data); 58 void *data);
51 59
208 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2, 216 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2,
209 ngx_conf_set_keyval_slot, 217 ngx_conf_set_keyval_slot,
210 NGX_STREAM_SRV_CONF_OFFSET, 218 NGX_STREAM_SRV_CONF_OFFSET,
211 offsetof(ngx_stream_ssl_conf_t, conf_commands), 219 offsetof(ngx_stream_ssl_conf_t, conf_commands),
212 &ngx_stream_ssl_conf_command_post }, 220 &ngx_stream_ssl_conf_command_post },
221
222 { ngx_string("ssl_alpn"),
223 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE,
224 ngx_stream_ssl_alpn,
225 NGX_STREAM_SRV_CONF_OFFSET,
226 0,
227 NULL },
213 228
214 ngx_null_command 229 ngx_null_command
215 }; 230 };
216 231
217 232
264 (uintptr_t) ngx_ssl_get_session_reused, NGX_STREAM_VAR_CHANGEABLE, 0 }, 279 (uintptr_t) ngx_ssl_get_session_reused, NGX_STREAM_VAR_CHANGEABLE, 0 },
265 280
266 { ngx_string("ssl_server_name"), NULL, ngx_stream_ssl_variable, 281 { ngx_string("ssl_server_name"), NULL, ngx_stream_ssl_variable,
267 (uintptr_t) ngx_ssl_get_server_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, 282 (uintptr_t) ngx_ssl_get_server_name, NGX_STREAM_VAR_CHANGEABLE, 0 },
268 283
284 { ngx_string("ssl_alpn_protocol"), NULL, ngx_stream_ssl_variable,
285 (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 },
286
269 { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable, 287 { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable,
270 (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 }, 288 (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 },
271 289
272 { ngx_string("ssl_client_raw_cert"), NULL, ngx_stream_ssl_variable, 290 { ngx_string("ssl_client_raw_cert"), NULL, ngx_stream_ssl_variable,
273 (uintptr_t) ngx_ssl_get_raw_certificate, 291 (uintptr_t) ngx_ssl_get_raw_certificate,
432 } 450 }
433 451
434 452
435 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 453 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
436 454
437 int 455 static int
438 ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) 456 ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
439 { 457 {
440 return SSL_TLSEXT_ERR_OK; 458 return SSL_TLSEXT_ERR_OK;
441 } 459 }
442 460
443 #endif 461 #endif
444 462
445 463
464 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
465
466 static int
467 ngx_stream_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out,
468 unsigned char *outlen, const unsigned char *in, unsigned int inlen,
469 void *arg)
470 {
471 ngx_str_t *alpn;
472 #if (NGX_DEBUG)
473 unsigned int i;
474 ngx_connection_t *c;
475
476 c = ngx_ssl_get_connection(ssl_conn);
477
478 for (i = 0; i < inlen; i += in[i] + 1) {
479 ngx_log_debug2(NGX_LOG_DEBUG_STREAM, c->log, 0,
480 "SSL ALPN supported by client: %*s",
481 (size_t) in[i], &in[i + 1]);
482 }
483
484 #endif
485
486 alpn = arg;
487
488 if (SSL_select_next_proto((unsigned char **) out, outlen, alpn->data,
489 alpn->len, in, inlen)
490 != OPENSSL_NPN_NEGOTIATED)
491 {
492 return SSL_TLSEXT_ERR_ALERT_FATAL;
493 }
494
495 ngx_log_debug2(NGX_LOG_DEBUG_STREAM, c->log, 0,
496 "SSL ALPN selected: %*s", (size_t) *outlen, *out);
497
498 return SSL_TLSEXT_ERR_OK;
499 }
500
501 #endif
502
503
446 #ifdef SSL_R_CERT_CB_ERROR 504 #ifdef SSL_R_CERT_CB_ERROR
447 505
448 int 506 static int
449 ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg) 507 ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg)
450 { 508 {
451 ngx_str_t cert, key; 509 ngx_str_t cert, key;
452 ngx_uint_t i, nelts; 510 ngx_uint_t i, nelts;
453 ngx_connection_t *c; 511 ngx_connection_t *c;
600 * scf->dhparam = { 0, NULL }; 658 * scf->dhparam = { 0, NULL };
601 * scf->ecdh_curve = { 0, NULL }; 659 * scf->ecdh_curve = { 0, NULL };
602 * scf->client_certificate = { 0, NULL }; 660 * scf->client_certificate = { 0, NULL };
603 * scf->trusted_certificate = { 0, NULL }; 661 * scf->trusted_certificate = { 0, NULL };
604 * scf->crl = { 0, NULL }; 662 * scf->crl = { 0, NULL };
663 * scf->alpn = { 0, NULL };
605 * scf->ciphers = { 0, NULL }; 664 * scf->ciphers = { 0, NULL };
606 * scf->shm_zone = NULL; 665 * scf->shm_zone = NULL;
607 */ 666 */
608 667
609 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; 668 scf->handshake_timeout = NGX_CONF_UNSET_MSEC;
658 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, 717 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
659 ""); 718 "");
660 ngx_conf_merge_str_value(conf->trusted_certificate, 719 ngx_conf_merge_str_value(conf->trusted_certificate,
661 prev->trusted_certificate, ""); 720 prev->trusted_certificate, "");
662 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); 721 ngx_conf_merge_str_value(conf->crl, prev->crl, "");
722 ngx_conf_merge_str_value(conf->alpn, prev->alpn, "");
663 723
664 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, 724 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
665 NGX_DEFAULT_ECDH_CURVE); 725 NGX_DEFAULT_ECDH_CURVE);
666 726
667 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); 727 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
718 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 778 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
719 SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, 779 SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
720 ngx_stream_ssl_servername); 780 ngx_stream_ssl_servername);
721 #endif 781 #endif
722 782
783 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
784 if (conf->alpn.len) {
785 SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_stream_ssl_alpn_select,
786 &conf->alpn);
787 }
788 #endif
789
723 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, 790 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
724 conf->prefer_server_ciphers) 791 conf->prefer_server_ciphers)
725 != NGX_OK) 792 != NGX_OK)
726 { 793 {
727 return NGX_CONF_ERROR; 794 return NGX_CONF_ERROR;
1055 return NGX_CONF_ERROR; 1122 return NGX_CONF_ERROR;
1056 } 1123 }
1057 1124
1058 1125
1059 static char * 1126 static char *
1127 ngx_stream_ssl_alpn(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
1128 {
1129 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
1130
1131 ngx_stream_ssl_conf_t *scf = conf;
1132
1133 u_char *p;
1134 size_t len;
1135 ngx_str_t *value;
1136 ngx_uint_t i;
1137
1138 if (scf->alpn.len) {
1139 return "is duplicate";
1140 }
1141
1142 value = cf->args->elts;
1143
1144 len = 0;
1145
1146 for (i = 1; i < cf->args->nelts; i++) {
1147
1148 if (value[i].len > 255) {
1149 return "protocol too long";
1150 }
1151
1152 len += value[i].len + 1;
1153 }
1154
1155 scf->alpn.data = ngx_pnalloc(cf->pool, len);
1156 if (scf->alpn.data == NULL) {
1157 return NGX_CONF_ERROR;
1158 }
1159
1160 p = scf->alpn.data;
1161
1162 for (i = 1; i < cf->args->nelts; i++) {
1163 *p++ = value[i].len;
1164 p = ngx_cpymem(p, value[i].data, value[i].len);
1165 }
1166
1167 scf->alpn.len = len;
1168
1169 return NGX_CONF_OK;
1170
1171 #else
1172 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
1173 "the \"ssl_alpn\" directive requires OpenSSL "
1174 "with ALPN support");
1175 return NGX_CONF_ERROR;
1176 #endif
1177 }
1178
1179
1180 static char *
1060 ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) 1181 ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
1061 { 1182 {
1062 #ifndef SSL_CONF_FLAG_FILE 1183 #ifndef SSL_CONF_FLAG_FILE
1063 return "is not supported on this platform"; 1184 return "is not supported on this platform";
1064 #else 1185 #else