Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.c @ 4041:f87edc142316 stable-1.0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge of r3960, r3961, r3962, r3963, r3965: SSL related fixes: *) MSIE export versions are rare now, so RSA 512 key is generated on demand and is shared among all hosts instead of pregenerating for every HTTPS host on configuraiton phase. This decreases start time for configuration with large number of HTTPS hosts. *) ECDHE support; patch by Adrian Kotelba *) fix build by gcc46 with -Wunused-value option *) fix SSL connection issues on platforms with 32-bit off_t *) do not try to reuse and save a SSL session for a peer created on the fly by ngx_http_upstream_create_round_robin_peer(), since the peer lives only during request so the saved SSL session will never be used again and just causes memory leak
author Igor Sysoev <igor@sysoev.ru>
date Mon, 29 Aug 2011 12:35:53 +0000
parents 033015e01eec
children 718f2154b813
comparison
equal deleted inserted replaced
4040:0094c8636d5f 4041:f87edc142316
369 } 369 }
370 } 370 }
371 } 371 }
372 372
373 373
374 ngx_int_t 374 RSA *
375 ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl) 375 ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length)
376 { 376 {
377 RSA *key; 377 static RSA *key;
378 378
379 if (SSL_CTX_need_tmp_RSA(ssl->ctx) == 0) { 379 if (key_length == 512) {
380 return NGX_OK; 380 if (key == NULL) {
381 } 381 key = RSA_generate_key(512, RSA_F4, NULL, NULL);
382 382 }
383 key = RSA_generate_key(512, RSA_F4, NULL, NULL); 383 }
384 384
385 if (key) { 385 return key;
386 SSL_CTX_set_tmp_rsa(ssl->ctx, key);
387
388 RSA_free(key);
389
390 return NGX_OK;
391 }
392
393 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "RSA_generate_key(512) failed");
394
395 return NGX_ERROR;
396 } 386 }
397 387
398 388
399 ngx_int_t 389 ngx_int_t
400 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) 390 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
476 BIO_free(bio); 466 BIO_free(bio);
477 467
478 return NGX_OK; 468 return NGX_OK;
479 } 469 }
480 470
471 ngx_int_t
472 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)
473 {
474 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
475 #ifndef OPENSSL_NO_ECDH
476 int nid;
477 EC_KEY *ecdh;
478
479 /*
480 * Elliptic-Curve Diffie-Hellman parameters are either "named curves"
481 * from RFC 4492 section 5.1.1, or explicitely described curves over
482 * binary fields. OpenSSL only supports the "named curves", which provide
483 * maximum interoperability.
484 */
485
486 nid = OBJ_sn2nid((const char *) name->data);
487 if (nid == 0) {
488 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
489 "Unknown curve name \"%s\"", name->data);
490 return NGX_ERROR;
491 }
492
493 ecdh = EC_KEY_new_by_curve_name(nid);
494 if (ecdh == NULL) {
495 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
496 "Unable to create curve \"%s\"", name->data);
497 return NGX_ERROR;
498 }
499
500 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh);
501
502 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
503
504 EC_KEY_free(ecdh);
505 #endif
506 #endif
507
508 return NGX_OK;
509 }
481 510
482 ngx_int_t 511 ngx_int_t
483 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) 512 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
484 { 513 {
485 ngx_ssl_connection_t *sc; 514 ngx_ssl_connection_t *sc;
955 984
956 return in; 985 return in;
957 } 986 }
958 987
959 988
960 /* the maximum limit size is the maximum uint32_t value - the page size */ 989 /* the maximum limit size is the maximum int32_t value - the page size */
961 990
962 if (limit == 0 || limit > (off_t) (NGX_MAX_UINT32_VALUE - ngx_pagesize)) { 991 if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) {
963 limit = NGX_MAX_UINT32_VALUE - ngx_pagesize; 992 limit = NGX_MAX_INT32_VALUE - ngx_pagesize;
964 } 993 }
965 994
966 buf = c->ssl->buf; 995 buf = c->ssl->buf;
967 996
968 if (buf == NULL) { 997 if (buf == NULL) {
1685 u_char *p; 1714 u_char *p;
1686 uint32_t hash; 1715 uint32_t hash;
1687 ngx_int_t rc; 1716 ngx_int_t rc;
1688 ngx_shm_zone_t *shm_zone; 1717 ngx_shm_zone_t *shm_zone;
1689 ngx_slab_pool_t *shpool; 1718 ngx_slab_pool_t *shpool;
1690 ngx_connection_t *c;
1691 ngx_rbtree_node_t *node, *sentinel; 1719 ngx_rbtree_node_t *node, *sentinel;
1692 ngx_ssl_session_t *sess; 1720 ngx_ssl_session_t *sess;
1693 ngx_ssl_sess_id_t *sess_id; 1721 ngx_ssl_sess_id_t *sess_id;
1694 ngx_ssl_session_cache_t *cache; 1722 ngx_ssl_session_cache_t *cache;
1695 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; 1723 u_char buf[NGX_SSL_MAX_SESSION_SIZE];
1696 1724 #if (NGX_DEBUG)
1697 c = ngx_ssl_get_connection(ssl_conn); 1725 ngx_connection_t *c;
1726 #endif
1698 1727
1699 hash = ngx_crc32_short(id, (size_t) len); 1728 hash = ngx_crc32_short(id, (size_t) len);
1700 *copy = 0; 1729 *copy = 0;
1701 1730
1731 #if (NGX_DEBUG)
1732 c = ngx_ssl_get_connection(ssl_conn);
1733
1702 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, 1734 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
1703 "ssl get session: %08XD:%d", hash, len); 1735 "ssl get session: %08XD:%d", hash, len);
1736 #endif
1704 1737
1705 shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn), 1738 shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn),
1706 ngx_ssl_session_cache_index); 1739 ngx_ssl_session_cache_index);
1707 1740
1708 cache = shm_zone->data; 1741 cache = shm_zone->data;