Mercurial > hg > nginx

comparison src/http/modules/ngx_http_ssl_module.c @ 7462:be2af41d3620

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: variables support in ssl_certificate and ssl_certificate_key. To evaluate variables, a request is created in the certificate callback, and then freed. To do this without side effects on the stub_status counters and connection state, an additional function was introduced, ngx_http_alloc_request(). Only works with OpenSSL 1.0.2+, since there is no SSL_CTX_set_cert_cb() in older versions.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 25 Feb 2019 16:42:05 +0300
parents ba971deb4b44
children 180df83473a4
comparison
equal deleted inserted replaced
7461:a68799465b19 7462:be2af41d3620
38 38
39 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); 39 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf);
40 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); 40 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf);
41 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, 41 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
42 void *parent, void *child); 42 void *parent, void *child);
43
44 static ngx_int_t ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
45 ngx_http_ssl_srv_conf_t *conf);
43 46
44 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, 47 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
45 void *conf); 48 void *conf);
46 static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, 49 static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
47 void *conf); 50 void *conf);
548 551
549 /* 552 /*
550 * set by ngx_pcalloc(): 553 * set by ngx_pcalloc():
551 * 554 *
552 * sscf->protocols = 0; 555 * sscf->protocols = 0;
556 * sscf->certificate_values = NULL;
553 * sscf->dhparam = { 0, NULL }; 557 * sscf->dhparam = { 0, NULL };
554 * sscf->ecdh_curve = { 0, NULL }; 558 * sscf->ecdh_curve = { 0, NULL };
555 * sscf->client_certificate = { 0, NULL }; 559 * sscf->client_certificate = { 0, NULL };
556 * sscf->trusted_certificate = { 0, NULL }; 560 * sscf->trusted_certificate = { 0, NULL };
557 * sscf->crl = { 0, NULL }; 561 * sscf->crl = { 0, NULL };
725 } 729 }
726 730
727 cln->handler = ngx_ssl_cleanup_ctx; 731 cln->handler = ngx_ssl_cleanup_ctx;
728 cln->data = &conf->ssl; 732 cln->data = &conf->ssl;
729 733
730 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, 734 if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) {
731 conf->certificate_keys, conf->passwords) 735 return NGX_CONF_ERROR;
732 != NGX_OK) 736 }
733 { 737
734 return NGX_CONF_ERROR; 738 if (conf->certificate_values) {
739
740 #ifdef SSL_R_CERT_CB_ERROR
741
742 /* install callback to lookup certificates */
743
744 SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_http_ssl_certificate, NULL);
745
746 #else
747 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
748 "variables in "
749 "\"ssl_certificate\" and \"ssl_certificate_key\" "
750 "directives are not supported on this platform");
751 return NGX_CONF_ERROR;
752 #endif
753
754 } else {
755
756 /* configure certificates */
757
758 if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
759 conf->certificate_keys, conf->passwords)
760 != NGX_OK)
761 {
762 return NGX_CONF_ERROR;
763 }
735 } 764 }
736 765
737 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, 766 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
738 conf->prefer_server_ciphers) 767 conf->prefer_server_ciphers)
739 != NGX_OK) 768 != NGX_OK)
826 if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) { 855 if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) {
827 return NGX_CONF_ERROR; 856 return NGX_CONF_ERROR;
828 } 857 }
829 858
830 return NGX_CONF_OK; 859 return NGX_CONF_OK;
860 }
861
862
863 static ngx_int_t
864 ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
865 ngx_http_ssl_srv_conf_t *conf)
866 {
867 ngx_str_t *cert, *key;
868 ngx_uint_t i, nelts;
869 ngx_http_complex_value_t *cv;
870 ngx_http_compile_complex_value_t ccv;
871
872 cert = conf->certificates->elts;
873 key = conf->certificate_keys->elts;
874 nelts = conf->certificates->nelts;
875
876 for (i = 0; i < nelts; i++) {
877
878 if (ngx_http_script_variables_count(&cert[i])) {
879 goto found;
880 }
881
882 if (ngx_http_script_variables_count(&key[i])) {
883 goto found;
884 }
885 }
886
887 return NGX_OK;
888
889 found:
890
891 conf->certificate_values = ngx_array_create(cf->pool, nelts,
892 sizeof(ngx_http_complex_value_t));
893 if (conf->certificate_values == NULL) {
894 return NGX_ERROR;
895 }
896
897 conf->certificate_key_values = ngx_array_create(cf->pool, nelts,
898 sizeof(ngx_http_complex_value_t));
899 if (conf->certificate_key_values == NULL) {
900 return NGX_ERROR;
901 }
902
903 for (i = 0; i < nelts; i++) {
904
905 cv = ngx_array_push(conf->certificate_values);
906 if (cv == NULL) {
907 return NGX_ERROR;
908 }
909
910 ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));
911
912 ccv.cf = cf;
913 ccv.value = &cert[i];
914 ccv.complex_value = cv;
915 ccv.zero = 1;
916
917 if (ngx_http_compile_complex_value(&ccv) != NGX_OK) {
918 return NGX_ERROR;
919 }
920
921 cv = ngx_array_push(conf->certificate_key_values);
922 if (cv == NULL) {
923 return NGX_ERROR;
924 }
925
926 ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));
927
928 ccv.cf = cf;
929 ccv.value = &key[i];
930 ccv.complex_value = cv;
931 ccv.zero = 1;
932
933 if (ngx_http_compile_complex_value(&ccv) != NGX_OK) {
934 return NGX_ERROR;
935 }
936 }
937
938 return NGX_OK;
831 } 939 }
832 940
833 941
834 static char * 942 static char *
835 ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) 943 ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)