Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 8839:fac88e160653 quic
Merged with the default branch.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Wed, 01 Sep 2021 10:57:25 +0300 |
parents | 6674a50cbb6c dda421871bc2 |
children | 61d0fa67b55e |
comparison
equal
deleted
inserted
replaced
8838:d6e191a583cc | 8839:fac88e160653 |
---|---|
297 | 297 |
298 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | 298 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
299 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); | 299 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); |
300 #endif | 300 #endif |
301 | 301 |
302 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING | |
303 /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ | |
304 SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); | |
305 #endif | |
306 | |
307 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG | 302 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
308 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); | 303 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); |
309 #endif | 304 #endif |
310 | 305 |
311 #ifdef SSL_OP_TLS_D5_BUG | 306 #ifdef SSL_OP_TLS_D5_BUG |
374 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY); | 369 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY); |
375 #endif | 370 #endif |
376 | 371 |
377 #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION | 372 #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION |
378 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION); | 373 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION); |
374 #endif | |
375 | |
376 #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF | |
377 SSL_CTX_set_options(ssl->ctx, SSL_OP_IGNORE_UNEXPECTED_EOF); | |
379 #endif | 378 #endif |
380 | 379 |
381 #ifdef SSL_MODE_RELEASE_BUFFERS | 380 #ifdef SSL_MODE_RELEASE_BUFFERS |
382 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); | 381 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); |
383 #endif | 382 #endif |
856 } | 855 } |
857 | 856 |
858 if (prefer_server_ciphers) { | 857 if (prefer_server_ciphers) { |
859 SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | 858 SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
860 } | 859 } |
861 | |
862 #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER) | |
863 /* a temporary 512-bit RSA key is required for export versions of MSIE */ | |
864 SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback); | |
865 #endif | |
866 | 860 |
867 return NGX_OK; | 861 return NGX_OK; |
868 } | 862 } |
869 | 863 |
870 | 864 |
1114 } | 1108 } |
1115 } | 1109 } |
1116 } | 1110 } |
1117 | 1111 |
1118 | 1112 |
1119 RSA * | |
1120 ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, | |
1121 int key_length) | |
1122 { | |
1123 static RSA *key; | |
1124 | |
1125 if (key_length != 512) { | |
1126 return NULL; | |
1127 } | |
1128 | |
1129 #if (OPENSSL_VERSION_NUMBER < 0x10100003L && !defined OPENSSL_NO_DEPRECATED) | |
1130 | |
1131 if (key == NULL) { | |
1132 key = RSA_generate_key(512, RSA_F4, NULL, NULL); | |
1133 } | |
1134 | |
1135 #endif | |
1136 | |
1137 return key; | |
1138 } | |
1139 | |
1140 | |
1141 ngx_array_t * | 1113 ngx_array_t * |
1142 ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file) | 1114 ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file) |
1143 { | 1115 { |
1144 u_char *p, *last, *end; | 1116 u_char *p, *last, *end; |
1145 size_t len; | 1117 size_t len; |
1348 | 1320 |
1349 | 1321 |
1350 ngx_int_t | 1322 ngx_int_t |
1351 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) | 1323 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) |
1352 { | 1324 { |
1353 DH *dh; | |
1354 BIO *bio; | 1325 BIO *bio; |
1355 | 1326 |
1356 if (file->len == 0) { | 1327 if (file->len == 0) { |
1357 return NGX_OK; | 1328 return NGX_OK; |
1358 } | 1329 } |
1365 if (bio == NULL) { | 1336 if (bio == NULL) { |
1366 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | 1337 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
1367 "BIO_new_file(\"%s\") failed", file->data); | 1338 "BIO_new_file(\"%s\") failed", file->data); |
1368 return NGX_ERROR; | 1339 return NGX_ERROR; |
1369 } | 1340 } |
1341 | |
1342 #ifdef SSL_CTX_set_tmp_dh | |
1343 { | |
1344 DH *dh; | |
1370 | 1345 |
1371 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); | 1346 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); |
1372 if (dh == NULL) { | 1347 if (dh == NULL) { |
1373 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | 1348 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
1374 "PEM_read_bio_DHparams(\"%s\") failed", file->data); | 1349 "PEM_read_bio_DHparams(\"%s\") failed", file->data); |
1375 BIO_free(bio); | 1350 BIO_free(bio); |
1376 return NGX_ERROR; | 1351 return NGX_ERROR; |
1377 } | 1352 } |
1378 | 1353 |
1379 SSL_CTX_set_tmp_dh(ssl->ctx, dh); | 1354 if (SSL_CTX_set_tmp_dh(ssl->ctx, dh) != 1) { |
1355 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
1356 "SSL_CTX_set_tmp_dh(\"%s\") failed", file->data); | |
1357 DH_free(dh); | |
1358 BIO_free(bio); | |
1359 return NGX_ERROR; | |
1360 } | |
1380 | 1361 |
1381 DH_free(dh); | 1362 DH_free(dh); |
1363 } | |
1364 #else | |
1365 { | |
1366 EVP_PKEY *dh; | |
1367 | |
1368 /* | |
1369 * PEM_read_bio_DHparams() and SSL_CTX_set_tmp_dh() | |
1370 * are deprecated in OpenSSL 3.0 | |
1371 */ | |
1372 | |
1373 dh = PEM_read_bio_Parameters(bio, NULL); | |
1374 if (dh == NULL) { | |
1375 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
1376 "PEM_read_bio_Parameters(\"%s\") failed", file->data); | |
1377 BIO_free(bio); | |
1378 return NGX_ERROR; | |
1379 } | |
1380 | |
1381 if (SSL_CTX_set0_tmp_dh_pkey(ssl->ctx, dh) != 1) { | |
1382 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
1383 "SSL_CTX_set0_tmp_dh_pkey(\%s\") failed", file->data); | |
1384 BIO_free(bio); | |
1385 return NGX_ERROR; | |
1386 } | |
1387 } | |
1388 #endif | |
1389 | |
1382 BIO_free(bio); | 1390 BIO_free(bio); |
1383 | 1391 |
1384 return NGX_OK; | 1392 return NGX_OK; |
1385 } | 1393 } |
1386 | 1394 |
1738 c->recv = ngx_ssl_recv; | 1746 c->recv = ngx_ssl_recv; |
1739 c->send = ngx_ssl_write; | 1747 c->send = ngx_ssl_write; |
1740 c->recv_chain = ngx_ssl_recv_chain; | 1748 c->recv_chain = ngx_ssl_recv_chain; |
1741 c->send_chain = ngx_ssl_send_chain; | 1749 c->send_chain = ngx_ssl_send_chain; |
1742 | 1750 |
1751 c->read->ready = 1; | |
1752 c->write->ready = 1; | |
1753 | |
1743 #ifndef SSL_OP_NO_RENEGOTIATION | 1754 #ifndef SSL_OP_NO_RENEGOTIATION |
1744 #if OPENSSL_VERSION_NUMBER < 0x10100000L | 1755 #if OPENSSL_VERSION_NUMBER < 0x10100000L |
1745 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS | 1756 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS |
1746 | 1757 |
1747 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ | 1758 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ |
1882 | 1893 |
1883 c->recv = ngx_ssl_recv; | 1894 c->recv = ngx_ssl_recv; |
1884 c->send = ngx_ssl_write; | 1895 c->send = ngx_ssl_write; |
1885 c->recv_chain = ngx_ssl_recv_chain; | 1896 c->recv_chain = ngx_ssl_recv_chain; |
1886 c->send_chain = ngx_ssl_send_chain; | 1897 c->send_chain = ngx_ssl_send_chain; |
1898 | |
1899 c->read->ready = 1; | |
1900 c->write->ready = 1; | |
1887 | 1901 |
1888 rc = ngx_ssl_ocsp_validate(c); | 1902 rc = ngx_ssl_ocsp_validate(c); |
1889 | 1903 |
1890 if (rc == NGX_ERROR) { | 1904 if (rc == NGX_ERROR) { |
1891 return NGX_ERROR; | 1905 return NGX_ERROR; |
3239 if (ERR_peek_error()) { | 3253 if (ERR_peek_error()) { |
3240 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); | 3254 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); |
3241 | 3255 |
3242 for ( ;; ) { | 3256 for ( ;; ) { |
3243 | 3257 |
3244 n = ERR_peek_error_line_data(NULL, NULL, &data, &flags); | 3258 n = ERR_peek_error_data(&data, &flags); |
3245 | 3259 |
3246 if (n == 0) { | 3260 if (n == 0) { |
3247 break; | 3261 break; |
3248 } | 3262 } |
3249 | 3263 |