Mercurial > hg > nginx

comparison src/http/modules/ngx_http_ssl_module.c @ 671:cec32b3753ac release-0.3.57

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx-0.3.57-RELEASE import *) Feature: the $ssl_client_serial variable. *) Bugfix: in the "!-e" operator of the "if" directive. Thanks to Andrian Budanstov. *) Bugfix: while a client certificate verification nginx did not send to a client the required certificates information. *) Bugfix: the $document_root variable did not support the variables in the "root" directive.
author Igor Sysoev <igor@sysoev.ru>
date Wed, 09 Aug 2006 19:59:45 +0000
parents 562806624c4a
children 065b39794fff
comparison
equal deleted inserted replaced
670:ba43c68592d0 671:cec32b3753ac
7 #include <ngx_config.h> 7 #include <ngx_config.h>
8 #include <ngx_core.h> 8 #include <ngx_core.h>
9 #include <ngx_http.h> 9 #include <ngx_http.h>
10 10
11 11
12 typedef u_char *(*ngx_ssl_variable_handler_pt)(ngx_connection_t *); 12 typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
13 ngx_pool_t *pool, ngx_str_t *s);
13 14
14 15
15 #define NGX_DEFLAUT_CERTIFICATE "cert.pem" 16 #define NGX_DEFLAUT_CERTIFICATE "cert.pem"
16 #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem" 17 #define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem"
17 #define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" 18 #define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
18 19
19 20
20 static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); 21 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
22 ngx_http_variable_value_t *v, uintptr_t data);
21 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, 23 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r,
22 ngx_http_variable_value_t *v, uintptr_t data);
23 static ngx_int_t ngx_http_ssl_client_s_dn(ngx_http_request_t *r,
24 ngx_http_variable_value_t *v, uintptr_t data);
25 static ngx_int_t ngx_http_ssl_client_i_dn(ngx_http_request_t *r,
26 ngx_http_variable_value_t *v, uintptr_t data); 24 ngx_http_variable_value_t *v, uintptr_t data);
27 25
28 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); 26 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf);
29 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); 27 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf);
30 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, 28 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
159 }; 157 };
160 158
161 159
162 static ngx_http_variable_t ngx_http_ssl_vars[] = { 160 static ngx_http_variable_t ngx_http_ssl_vars[] = {
163 161
164 { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_variable, 162 { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable,
165 (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGABLE, 0 }, 163 (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGABLE, 0 },
166 164
167 { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_variable, 165 { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
168 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGABLE, 0 }, 166 (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGABLE, 0 },
169 167
170 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_client_s_dn, 168 { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable,
171 0, NGX_HTTP_VAR_CHANGABLE, 0 }, 169 (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGABLE, 0 },
172 170
173 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_client_i_dn, 171 { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable,
174 0, NGX_HTTP_VAR_CHANGABLE, 0 }, 172 (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGABLE, 0 },
173
174 { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable,
175 (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGABLE, 0 },
175 176
176 { ngx_null_string, NULL, NULL, 0, 0, 0 } 177 { ngx_null_string, NULL, NULL, 0, 0, 0 }
177 }; 178 };
178 179
179 180
180 static u_char ngx_http_session_id_ctx[] = "HTTP"; 181 static u_char ngx_http_session_id_ctx[] = "HTTP";
181 182
182 183
183 static ngx_int_t 184 static ngx_int_t
184 ngx_http_ssl_variable(ngx_http_request_t *r, 185 ngx_http_ssl_static_variable(ngx_http_request_t *r,
185 ngx_http_variable_value_t *v, uintptr_t data) 186 ngx_http_variable_value_t *v, uintptr_t data)
186 { 187 {
187 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data; 188 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data;
188 189
189 size_t len; 190 size_t len;
190 u_char *name;
191 191
192 if (r->connection->ssl) { 192 if (r->connection->ssl) {
193 193
194 name = handler(r->connection); 194 (void) handler(r->connection, NULL, (ngx_str_t *) v);
195 195
196 for (len = 0; name[len]; len++) { /* void */ } 196 for (len = 0; v->data[len]; len++) { /* void */ }
197 197
198 v->len = len; 198 v->len = len;
199 v->valid = 1; 199 v->valid = 1;
200 v->no_cachable = 0; 200 v->no_cachable = 0;
201 v->not_found = 0; 201 v->not_found = 0;
202 v->data = name;
203 202
204 return NGX_OK; 203 return NGX_OK;
205 } 204 }
206 205
207 v->not_found = 1; 206 v->not_found = 1;
209 return NGX_OK; 208 return NGX_OK;
210 } 209 }
211 210
212 211
213 static ngx_int_t 212 static ngx_int_t
214 ngx_http_ssl_client_s_dn(ngx_http_request_t *r, ngx_http_variable_value_t *v, 213 ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v,
215 uintptr_t data) 214 uintptr_t data)
216 { 215 {
216 ngx_ssl_variable_handler_pt handler = (ngx_ssl_variable_handler_pt) data;
217
217 if (r->connection->ssl) { 218 if (r->connection->ssl) {
218 if (ngx_ssl_get_subject_dn(r->connection, r->pool, (ngx_str_t *) v) 219 if (handler(r->connection, r->pool, (ngx_str_t *) v) != NGX_OK) {
219 != NGX_OK)
220 {
221 return NGX_ERROR;
222 }
223
224 if (v->len) {
225 v->valid = 1;
226 v->no_cachable = 0;
227 v->not_found = 0;
228
229 return NGX_OK;
230 }
231 }
232
233 v->not_found = 1;
234
235 return NGX_OK;
236 }
237
238
239 static ngx_int_t
240 ngx_http_ssl_client_i_dn(ngx_http_request_t *r, ngx_http_variable_value_t *v,
241 uintptr_t data)
242 {
243 if (r->connection->ssl) {
244 if (ngx_ssl_get_issuer_dn(r->connection, r->pool, (ngx_str_t *) v)
245 != NGX_OK)
246 {
247 return NGX_ERROR; 220 return NGX_ERROR;
248 } 221 }
249 222
250 if (v->len) { 223 if (v->len) {
251 v->valid = 1; 224 v->valid = 1;
383 "SSL_CTX_set_cipher_list(\"%V\") failed", 356 "SSL_CTX_set_cipher_list(\"%V\") failed",
384 &conf->ciphers); 357 &conf->ciphers);
385 } 358 }
386 359
387 if (conf->verify) { 360 if (conf->verify) {
388 SSL_CTX_set_verify(conf->ssl.ctx, NGX_SSL_VERIFY, 361 if (ngx_ssl_client_certificate(cf, &conf->ssl,
389 ngx_http_ssl_verify_callback); 362 &conf->client_certificate, conf->verify_depth)
390 363 != NGX_OK)
391 SSL_CTX_set_verify_depth(conf->ssl.ctx, conf->verify_depth); 364 {
392 365 return NGX_CONF_ERROR;
393 if (conf->client_certificate.len) {
394 if (ngx_ssl_client_certificate(cf, &conf->ssl,
395 &conf->client_certificate)
396 != NGX_OK)
397 {
398 return NGX_CONF_ERROR;
399 }
400 } 366 }
401 } 367 }
402 368
403 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE 369 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
404 370
422 388
423 return NGX_CONF_OK; 389 return NGX_CONF_OK;
424 } 390 }
425 391
426 392
427 static int
428 ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
429 {
430 return 1;
431 }
432
433
434 #if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE) 393 #if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE)
435 394
436 static char * 395 static char *
437 ngx_http_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) 396 ngx_http_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
438 { 397 {