Mercurial > hg > nginx

comparison src/http/modules/ngx_http_ssl_module.c @ 8411:7995cd199b52 quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merged with the default branch.
author Sergey Kandaurov <pluknet@nginx.com>
date Tue, 26 May 2020 20:26:44 +0300
parents c9c3a73df6e8 b56f725dd4bb
children 0d2b2664b41c
comparison
equal deleted inserted replaced
8410:c7d1b500bd0a 8411:7995cd199b52
47 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, 47 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
48 void *conf); 48 void *conf);
49 static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, 49 static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
50 void *conf); 50 void *conf);
51 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, 51 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
52 void *conf);
53 static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd,
52 void *conf); 54 void *conf);
53 55
54 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); 56 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf);
55 57
56 58
72 { ngx_string("optional_no_ca"), 3 }, 74 { ngx_string("optional_no_ca"), 3 },
73 { ngx_null_string, 0 } 75 { ngx_null_string, 0 }
74 }; 76 };
75 77
76 78
79 static ngx_conf_enum_t ngx_http_ssl_ocsp[] = {
80 { ngx_string("off"), 0 },
81 { ngx_string("on"), 1 },
82 { ngx_string("leaf"), 2 },
83 { ngx_null_string, 0 }
84 };
85
86
77 static ngx_conf_deprecated_t ngx_http_ssl_deprecated = { 87 static ngx_conf_deprecated_t ngx_http_ssl_deprecated = {
78 ngx_conf_deprecated, "ssl", "listen ... ssl" 88 ngx_conf_deprecated, "ssl", "listen ... ssl"
79 }; 89 };
80 90
81 91
210 { ngx_string("ssl_crl"), 220 { ngx_string("ssl_crl"),
211 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, 221 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
212 ngx_conf_set_str_slot, 222 ngx_conf_set_str_slot,
213 NGX_HTTP_SRV_CONF_OFFSET, 223 NGX_HTTP_SRV_CONF_OFFSET,
214 offsetof(ngx_http_ssl_srv_conf_t, crl), 224 offsetof(ngx_http_ssl_srv_conf_t, crl),
225 NULL },
226
227 { ngx_string("ssl_ocsp"),
228 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
229 ngx_conf_set_enum_slot,
230 NGX_HTTP_SRV_CONF_OFFSET,
231 offsetof(ngx_http_ssl_srv_conf_t, ocsp),
232 &ngx_http_ssl_ocsp },
233
234 { ngx_string("ssl_ocsp_responder"),
235 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
236 ngx_conf_set_str_slot,
237 NGX_HTTP_SRV_CONF_OFFSET,
238 offsetof(ngx_http_ssl_srv_conf_t, ocsp_responder),
239 NULL },
240
241 { ngx_string("ssl_ocsp_cache"),
242 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
243 ngx_http_ssl_ocsp_cache,
244 NGX_HTTP_SRV_CONF_OFFSET,
245 0,
215 NULL }, 246 NULL },
216 247
217 { ngx_string("ssl_stapling"), 248 { ngx_string("ssl_stapling"),
218 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, 249 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
219 ngx_conf_set_flag_slot, 250 ngx_conf_set_flag_slot,
567 * sscf->client_certificate = { 0, NULL }; 598 * sscf->client_certificate = { 0, NULL };
568 * sscf->trusted_certificate = { 0, NULL }; 599 * sscf->trusted_certificate = { 0, NULL };
569 * sscf->crl = { 0, NULL }; 600 * sscf->crl = { 0, NULL };
570 * sscf->ciphers = { 0, NULL }; 601 * sscf->ciphers = { 0, NULL };
571 * sscf->shm_zone = NULL; 602 * sscf->shm_zone = NULL;
603 * sscf->ocsp_responder = { 0, NULL };
572 * sscf->stapling_file = { 0, NULL }; 604 * sscf->stapling_file = { 0, NULL };
573 * sscf->stapling_responder = { 0, NULL }; 605 * sscf->stapling_responder = { 0, NULL };
574 */ 606 */
575 607
576 sscf->enable = NGX_CONF_UNSET; 608 sscf->enable = NGX_CONF_UNSET;
584 sscf->passwords = NGX_CONF_UNSET_PTR; 616 sscf->passwords = NGX_CONF_UNSET_PTR;
585 sscf->builtin_session_cache = NGX_CONF_UNSET; 617 sscf->builtin_session_cache = NGX_CONF_UNSET;
586 sscf->session_timeout = NGX_CONF_UNSET; 618 sscf->session_timeout = NGX_CONF_UNSET;
587 sscf->session_tickets = NGX_CONF_UNSET; 619 sscf->session_tickets = NGX_CONF_UNSET;
588 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; 620 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
621 sscf->ocsp = NGX_CONF_UNSET_UINT;
622 sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR;
589 sscf->stapling = NGX_CONF_UNSET; 623 sscf->stapling = NGX_CONF_UNSET;
590 sscf->stapling_verify = NGX_CONF_UNSET; 624 sscf->stapling_verify = NGX_CONF_UNSET;
591 625
592 return sscf; 626 return sscf;
593 } 627 }
646 680
647 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, 681 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
648 NGX_DEFAULT_ECDH_CURVE); 682 NGX_DEFAULT_ECDH_CURVE);
649 683
650 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); 684 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
685
686 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0);
687 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, "");
688 ngx_conf_merge_ptr_value(conf->ocsp_cache_zone,
689 prev->ocsp_cache_zone, NULL);
651 690
652 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); 691 ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
653 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); 692 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
654 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); 693 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
655 ngx_conf_merge_str_value(conf->stapling_responder, 694 ngx_conf_merge_str_value(conf->stapling_responder,
808 847
809 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { 848 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
810 return NGX_CONF_ERROR; 849 return NGX_CONF_ERROR;
811 } 850 }
812 851
852 if (conf->ocsp) {
853
854 if (conf->verify == 3) {
855 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
856 "\"ssl_ocsp\" is incompatible with "
857 "\"ssl_verify_client optional_no_ca\"");
858 return NGX_CONF_ERROR;
859 }
860
861 if (ngx_ssl_ocsp(cf, &conf->ssl, &conf->ocsp_responder, conf->ocsp,
862 conf->ocsp_cache_zone)
863 != NGX_OK)
864 {
865 return NGX_CONF_ERROR;
866 }
867 }
868
813 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { 869 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
814 return NGX_CONF_ERROR; 870 return NGX_CONF_ERROR;
815 } 871 }
816 872
817 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { 873 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
1101 1157
1102 invalid: 1158 invalid:
1103 1159
1104 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, 1160 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
1105 "invalid session cache \"%V\"", &value[i]); 1161 "invalid session cache \"%V\"", &value[i]);
1162
1163 return NGX_CONF_ERROR;
1164 }
1165
1166
1167 static char *
1168 ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
1169 {
1170 ngx_http_ssl_srv_conf_t *sscf = conf;
1171
1172 size_t len;
1173 ngx_int_t n;
1174 ngx_str_t *value, name, size;
1175 ngx_uint_t j;
1176
1177 if (sscf->ocsp_cache_zone != NGX_CONF_UNSET_PTR) {
1178 return "is duplicate";
1179 }
1180
1181 value = cf->args->elts;
1182
1183 if (ngx_strcmp(value[1].data, "off") == 0) {
1184 sscf->ocsp_cache_zone = NULL;
1185 return NGX_CONF_OK;
1186 }
1187
1188 if (value[1].len <= sizeof("shared:") - 1
1189 || ngx_strncmp(value[1].data, "shared:", sizeof("shared:") - 1) != 0)
1190 {
1191 goto invalid;
1192 }
1193
1194 len = 0;
1195
1196 for (j = sizeof("shared:") - 1; j < value[1].len; j++) {
1197 if (value[1].data[j] == ':') {
1198 break;
1199 }
1200
1201 len++;
1202 }
1203
1204 if (len == 0) {
1205 goto invalid;
1206 }
1207
1208 name.len = len;
1209 name.data = value[1].data + sizeof("shared:") - 1;
1210
1211 size.len = value[1].len - j - 1;
1212 size.data = name.data + len + 1;
1213
1214 n = ngx_parse_size(&size);
1215
1216 if (n == NGX_ERROR) {
1217 goto invalid;
1218 }
1219
1220 if (n < (ngx_int_t) (8 * ngx_pagesize)) {
1221 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
1222 "OCSP cache \"%V\" is too small", &value[1]);
1223
1224 return NGX_CONF_ERROR;
1225 }
1226
1227 sscf->ocsp_cache_zone = ngx_shared_memory_add(cf, &name, n,
1228 &ngx_http_ssl_module_ctx);
1229 if (sscf->ocsp_cache_zone == NULL) {
1230 return NGX_CONF_ERROR;
1231 }
1232
1233 sscf->ocsp_cache_zone->init = ngx_ssl_ocsp_cache_init;
1234
1235 return NGX_CONF_OK;
1236
1237 invalid:
1238
1239 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
1240 "invalid OCSP cache \"%V\"", &value[1]);
1106 1241
1107 return NGX_CONF_ERROR; 1242 return NGX_CONF_ERROR;
1108 } 1243 }
1109 1244
1110 1245
1124 1259
1125 for (s = 0; s < cmcf->servers.nelts; s++) { 1260 for (s = 0; s < cmcf->servers.nelts; s++) {
1126 1261
1127 sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; 1262 sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
1128 1263
1129 if (sscf->ssl.ctx == NULL || !sscf->stapling) { 1264 if (sscf->ssl.ctx == NULL) {
1130 continue; 1265 continue;
1131 } 1266 }
1132 1267
1133 clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index]; 1268 clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index];
1134 1269
1135 if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver, 1270 if (sscf->stapling) {
1271 if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver,
1272 clcf->resolver_timeout)
1273 != NGX_OK)
1274 {
1275 return NGX_ERROR;
1276 }
1277 }
1278
1279 if (sscf->ocsp) {
1280 if (ngx_ssl_ocsp_resolver(cf, &sscf->ssl, clcf->resolver,
1136 clcf->resolver_timeout) 1281 clcf->resolver_timeout)
1137 != NGX_OK) 1282 != NGX_OK)
1138 { 1283 {
1139 return NGX_ERROR; 1284 return NGX_ERROR;
1285 }
1140 } 1286 }
1141 } 1287 }
1142 1288
1143 if (cmcf->ports == NULL) { 1289 if (cmcf->ports == NULL) {
1144 return NGX_OK; 1290 return NGX_OK;