Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.c @ 2044:f45cec1cd270

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
DH parameters, ssl_dhparam
author Igor Sysoev <igor@sysoev.ru>
date Mon, 16 Jun 2008 05:51:32 +0000
parents 12b3ad3353f9
children 2b11822b12d6
comparison
equal deleted inserted replaced
2043:1d86674d1286 2044:f45cec1cd270
180 180
181 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 181 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
182 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); 182 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
183 #endif 183 #endif
184 184
185 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
185 186
186 if (ngx_ssl_protocols[protocols >> 1] != 0) { 187 if (ngx_ssl_protocols[protocols >> 1] != 0) {
187 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); 188 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
188 } 189 }
189 190
346 } 347 }
347 348
348 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "RSA_generate_key(512) failed"); 349 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "RSA_generate_key(512) failed");
349 350
350 return NGX_ERROR; 351 return NGX_ERROR;
352 }
353
354
355 ngx_int_t
356 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
357 {
358 DH *dh;
359 BIO *bio;
360
361 /*
362 * -----BEGIN DH PARAMETERS-----
363 * MIGHAoGBALu8LcrYRnSQfEP89YDpz9vZWKP1aLQtSwju1OsPs1BMbAMCducQgAxc
364 * y7qokiYUxb7spWWl/fHSh6K8BJvmd4Bg6RqSp1fjBI9osHb302zI8pul34HcLKcl
365 * 7OZicMyaUDXYzs7vnqAnSmOrHlj6/UmI0PZdFGdX2gcd8EXP4WubAgEC
366 * -----END DH PARAMETERS-----
367 */
368
369 static unsigned char dh1024_p[] = {
370 0xBB, 0xBC, 0x2D, 0xCA, 0xD8, 0x46, 0x74, 0x90, 0x7C, 0x43, 0xFC, 0xF5,
371 0x80, 0xE9, 0xCF, 0xDB, 0xD9, 0x58, 0xA3, 0xF5, 0x68, 0xB4, 0x2D, 0x4B,
372 0x08, 0xEE, 0xD4, 0xEB, 0x0F, 0xB3, 0x50, 0x4C, 0x6C, 0x03, 0x02, 0x76,
373 0xE7, 0x10, 0x80, 0x0C, 0x5C, 0xCB, 0xBA, 0xA8, 0x92, 0x26, 0x14, 0xC5,
374 0xBE, 0xEC, 0xA5, 0x65, 0xA5, 0xFD, 0xF1, 0xD2, 0x87, 0xA2, 0xBC, 0x04,
375 0x9B, 0xE6, 0x77, 0x80, 0x60, 0xE9, 0x1A, 0x92, 0xA7, 0x57, 0xE3, 0x04,
376 0x8F, 0x68, 0xB0, 0x76, 0xF7, 0xD3, 0x6C, 0xC8, 0xF2, 0x9B, 0xA5, 0xDF,
377 0x81, 0xDC, 0x2C, 0xA7, 0x25, 0xEC, 0xE6, 0x62, 0x70, 0xCC, 0x9A, 0x50,
378 0x35, 0xD8, 0xCE, 0xCE, 0xEF, 0x9E, 0xA0, 0x27, 0x4A, 0x63, 0xAB, 0x1E,
379 0x58, 0xFA, 0xFD, 0x49, 0x88, 0xD0, 0xF6, 0x5D, 0x14, 0x67, 0x57, 0xDA,
380 0x07, 0x1D, 0xF0, 0x45, 0xCF, 0xE1, 0x6B, 0x9B
381 };
382
383 static unsigned char dh1024_g[] = { 0x02 };
384
385
386 if (file->len == 0) {
387
388 dh = DH_new();
389 if (dh == NULL) {
390 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "DH_new() failed");
391 return NGX_ERROR;
392 }
393
394 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
395 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
396
397 if (dh->p == NULL || dh->g == NULL) {
398 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "BN_bin2bn() failed");
399 DH_free(dh);
400 return NGX_ERROR;
401 }
402
403 SSL_CTX_set_tmp_dh(ssl->ctx, dh);
404
405 DH_free(dh);
406
407 return NGX_OK;
408 }
409
410 if (ngx_conf_full_name(cf->cycle, file, 1) == NGX_ERROR) {
411 return NGX_ERROR;
412 }
413
414 bio = BIO_new_file((char *) file->data, "r");
415 if (bio == NULL) {
416 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
417 "BIO_new_file(\"%s\") failed", file->data);
418 return NGX_ERROR;
419 }
420
421 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
422 if (dh == NULL) {
423 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
424 "PEM_read_bio_DHparams(\"%s\") failed", file->data);
425 BIO_free(bio);
426 return NGX_ERROR;
427 }
428
429 SSL_CTX_set_tmp_dh(ssl->ctx, dh);
430
431 DH_free(dh);
432 BIO_free(bio);
433
434 return NGX_OK;
351 } 435 }
352 436
353 437
354 ngx_int_t 438 ngx_int_t
355 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) 439 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)