Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 4041:f87edc142316 stable-1.0
Merge of r3960, r3961, r3962, r3963, r3965:
SSL related fixes:
*) MSIE export versions are rare now, so RSA 512 key is generated on demand
and is shared among all hosts instead of pregenerating for every HTTPS host
on configuraiton phase. This decreases start time for configuration with
large number of HTTPS hosts.
*) ECDHE support; patch by Adrian Kotelba
*) fix build by gcc46 with -Wunused-value option
*) fix SSL connection issues on platforms with 32-bit off_t
*) do not try to reuse and save a SSL session for a peer created on the fly
by ngx_http_upstream_create_round_robin_peer(), since the peer lives
only during request so the saved SSL session will never be used again
and just causes memory leak
author | Igor Sysoev <igor@sysoev.ru> |
---|---|
date | Mon, 29 Aug 2011 12:35:53 +0000 |
parents | 033015e01eec |
children | 718f2154b813 |
comparison
equal
deleted
inserted
replaced
4040:0094c8636d5f | 4041:f87edc142316 |
---|---|
369 } | 369 } |
370 } | 370 } |
371 } | 371 } |
372 | 372 |
373 | 373 |
374 ngx_int_t | 374 RSA * |
375 ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl) | 375 ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length) |
376 { | 376 { |
377 RSA *key; | 377 static RSA *key; |
378 | 378 |
379 if (SSL_CTX_need_tmp_RSA(ssl->ctx) == 0) { | 379 if (key_length == 512) { |
380 return NGX_OK; | 380 if (key == NULL) { |
381 } | 381 key = RSA_generate_key(512, RSA_F4, NULL, NULL); |
382 | 382 } |
383 key = RSA_generate_key(512, RSA_F4, NULL, NULL); | 383 } |
384 | 384 |
385 if (key) { | 385 return key; |
386 SSL_CTX_set_tmp_rsa(ssl->ctx, key); | |
387 | |
388 RSA_free(key); | |
389 | |
390 return NGX_OK; | |
391 } | |
392 | |
393 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "RSA_generate_key(512) failed"); | |
394 | |
395 return NGX_ERROR; | |
396 } | 386 } |
397 | 387 |
398 | 388 |
399 ngx_int_t | 389 ngx_int_t |
400 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) | 390 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) |
476 BIO_free(bio); | 466 BIO_free(bio); |
477 | 467 |
478 return NGX_OK; | 468 return NGX_OK; |
479 } | 469 } |
480 | 470 |
471 ngx_int_t | |
472 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name) | |
473 { | |
474 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL | |
475 #ifndef OPENSSL_NO_ECDH | |
476 int nid; | |
477 EC_KEY *ecdh; | |
478 | |
479 /* | |
480 * Elliptic-Curve Diffie-Hellman parameters are either "named curves" | |
481 * from RFC 4492 section 5.1.1, or explicitely described curves over | |
482 * binary fields. OpenSSL only supports the "named curves", which provide | |
483 * maximum interoperability. | |
484 */ | |
485 | |
486 nid = OBJ_sn2nid((const char *) name->data); | |
487 if (nid == 0) { | |
488 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
489 "Unknown curve name \"%s\"", name->data); | |
490 return NGX_ERROR; | |
491 } | |
492 | |
493 ecdh = EC_KEY_new_by_curve_name(nid); | |
494 if (ecdh == NULL) { | |
495 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
496 "Unable to create curve \"%s\"", name->data); | |
497 return NGX_ERROR; | |
498 } | |
499 | |
500 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh); | |
501 | |
502 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); | |
503 | |
504 EC_KEY_free(ecdh); | |
505 #endif | |
506 #endif | |
507 | |
508 return NGX_OK; | |
509 } | |
481 | 510 |
482 ngx_int_t | 511 ngx_int_t |
483 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) | 512 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) |
484 { | 513 { |
485 ngx_ssl_connection_t *sc; | 514 ngx_ssl_connection_t *sc; |
955 | 984 |
956 return in; | 985 return in; |
957 } | 986 } |
958 | 987 |
959 | 988 |
960 /* the maximum limit size is the maximum uint32_t value - the page size */ | 989 /* the maximum limit size is the maximum int32_t value - the page size */ |
961 | 990 |
962 if (limit == 0 || limit > (off_t) (NGX_MAX_UINT32_VALUE - ngx_pagesize)) { | 991 if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) { |
963 limit = NGX_MAX_UINT32_VALUE - ngx_pagesize; | 992 limit = NGX_MAX_INT32_VALUE - ngx_pagesize; |
964 } | 993 } |
965 | 994 |
966 buf = c->ssl->buf; | 995 buf = c->ssl->buf; |
967 | 996 |
968 if (buf == NULL) { | 997 if (buf == NULL) { |
1685 u_char *p; | 1714 u_char *p; |
1686 uint32_t hash; | 1715 uint32_t hash; |
1687 ngx_int_t rc; | 1716 ngx_int_t rc; |
1688 ngx_shm_zone_t *shm_zone; | 1717 ngx_shm_zone_t *shm_zone; |
1689 ngx_slab_pool_t *shpool; | 1718 ngx_slab_pool_t *shpool; |
1690 ngx_connection_t *c; | |
1691 ngx_rbtree_node_t *node, *sentinel; | 1719 ngx_rbtree_node_t *node, *sentinel; |
1692 ngx_ssl_session_t *sess; | 1720 ngx_ssl_session_t *sess; |
1693 ngx_ssl_sess_id_t *sess_id; | 1721 ngx_ssl_sess_id_t *sess_id; |
1694 ngx_ssl_session_cache_t *cache; | 1722 ngx_ssl_session_cache_t *cache; |
1695 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; | 1723 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; |
1696 | 1724 #if (NGX_DEBUG) |
1697 c = ngx_ssl_get_connection(ssl_conn); | 1725 ngx_connection_t *c; |
1726 #endif | |
1698 | 1727 |
1699 hash = ngx_crc32_short(id, (size_t) len); | 1728 hash = ngx_crc32_short(id, (size_t) len); |
1700 *copy = 0; | 1729 *copy = 0; |
1701 | 1730 |
1731 #if (NGX_DEBUG) | |
1732 c = ngx_ssl_get_connection(ssl_conn); | |
1733 | |
1702 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, | 1734 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
1703 "ssl get session: %08XD:%d", hash, len); | 1735 "ssl get session: %08XD:%d", hash, len); |
1736 #endif | |
1704 | 1737 |
1705 shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn), | 1738 shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn), |
1706 ngx_ssl_session_cache_index); | 1739 ngx_ssl_session_cache_index); |
1707 | 1740 |
1708 cache = shm_zone->data; | 1741 cache = shm_zone->data; |