Mercurial > hg > nginx
annotate src/event/ngx_event_openssl.h @ 6982:ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
CVE-2009-3555 is no longer relevant and mitigated by the renegotiation
info extension (secure renegotiation). On the other hand, unexpected
renegotiation still introduces potential security risks, and hence we do
not allow renegotiation on the server side, as we never request renegotiation.
On the client side the situation is different though. There are backends
which explicitly request renegotiation, and disabled renegotiation
introduces interoperability problems. This change allows renegotiation
on the client side, and fixes interoperability problems as observed with
such backends (ticket #872).
Additionally, with TLSv1.3 the SSL_CB_HANDSHAKE_START flag is currently set
by OpenSSL when receiving a NewSessionTicket message, and was detected by
nginx as a renegotiation attempt. This looks like a bug in OpenSSL, though
this change also allows better interoperability till the problem is fixed.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 18 Apr 2017 16:08:44 +0300 |
parents | 08dc60979133 |
children | 82f0b8dcca27 |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
4412 | 4 * Copyright (C) Nginx, Inc. |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
5 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
6 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
7 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #ifndef _NGX_EVENT_OPENSSL_H_INCLUDED_ |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #define _NGX_EVENT_OPENSSL_H_INCLUDED_ |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
12 #include <ngx_config.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
13 #include <ngx_core.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
14 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
15 #include <openssl/ssl.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
16 #include <openssl/err.h> |
5753
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
17 #include <openssl/bn.h> |
968 | 18 #include <openssl/conf.h> |
5753
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
19 #include <openssl/crypto.h> |
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
20 #include <openssl/dh.h> |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5753
diff
changeset
|
21 #ifndef OPENSSL_NO_ENGINE |
541 | 22 #include <openssl/engine.h> |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5753
diff
changeset
|
23 #endif |
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3300
diff
changeset
|
24 #include <openssl/evp.h> |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5753
diff
changeset
|
25 #ifndef OPENSSL_NO_OCSP |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
26 #include <openssl/ocsp.h> |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5753
diff
changeset
|
27 #endif |
5753
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
28 #include <openssl/rand.h> |
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
29 #include <openssl/rsa.h> |
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
30 #include <openssl/x509.h> |
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
31 #include <openssl/x509v3.h> |
541 | 32 |
547 | 33 #define NGX_SSL_NAME "OpenSSL" |
34 | |
35 | |
6485
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
36 #if (defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER == 0x20000000L) |
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
37 #undef OPENSSL_VERSION_NUMBER |
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
38 #define OPENSSL_VERSION_NUMBER 0x1000107fL |
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
39 #endif |
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
40 |
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
41 |
6492
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
42 #if (OPENSSL_VERSION_NUMBER >= 0x10100001L) |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
43 |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
44 #define ngx_ssl_version() OpenSSL_version(OPENSSL_VERSION) |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
45 |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
46 #else |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
47 |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
48 #define ngx_ssl_version() SSLeay_version(SSLEAY_VERSION) |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
49 |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
50 #endif |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
51 |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
52 |
671 | 53 #define ngx_ssl_session_t SSL_SESSION |
54 #define ngx_ssl_conn_t SSL | |
55 | |
56 | |
6982
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
57 #if (OPENSSL_VERSION_NUMBER < 0x10002000L) |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
58 #define SSL_is_server(s) (s)->server |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
59 #endif |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
60 |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
61 |
6735
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6591
diff
changeset
|
62 struct ngx_ssl_s { |
547 | 63 SSL_CTX *ctx; |
64 ngx_log_t *log; | |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
65 size_t buffer_size; |
6735
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6591
diff
changeset
|
66 }; |
541 | 67 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
68 |
6735
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6591
diff
changeset
|
69 struct ngx_ssl_connection_s { |
671 | 70 ngx_ssl_conn_t *connection; |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5882
diff
changeset
|
71 SSL_CTX *session_ctx; |
647 | 72 |
547 | 73 ngx_int_t last; |
74 ngx_buf_t *buf; | |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
75 size_t buffer_size; |
547 | 76 |
77 ngx_connection_handler_pt handler; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
78 |
547 | 79 ngx_event_handler_pt saved_read_handler; |
80 ngx_event_handler_pt saved_write_handler; | |
479 | 81 |
547 | 82 unsigned handshaked:1; |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3154
diff
changeset
|
83 unsigned renegotiation:1; |
547 | 84 unsigned buffer:1; |
85 unsigned no_wait_shutdown:1; | |
86 unsigned no_send_shutdown:1; | |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5223
diff
changeset
|
87 unsigned handshake_buffer_set:1; |
6735
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6591
diff
changeset
|
88 }; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
89 |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
90 |
2032 | 91 #define NGX_SSL_NO_SCACHE -2 |
92 #define NGX_SSL_NONE_SCACHE -3 | |
93 #define NGX_SSL_NO_BUILTIN_SCACHE -4 | |
94 #define NGX_SSL_DFLT_BUILTIN_SCACHE -5 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
95 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
96 |
1778 | 97 #define NGX_SSL_MAX_SESSION_SIZE 4096 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
98 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
974
diff
changeset
|
99 typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
100 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
974
diff
changeset
|
101 struct ngx_ssl_sess_id_s { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
102 ngx_rbtree_node_t node; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
103 u_char *id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
104 size_t len; |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
974
diff
changeset
|
105 u_char *session; |
1760 | 106 ngx_queue_t queue; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
107 time_t expire; |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
108 #if (NGX_PTR_SIZE == 8) |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
109 void *stub; |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
110 u_char sess_id[32]; |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
111 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
112 }; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
113 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
114 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
115 typedef struct { |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1017
diff
changeset
|
116 ngx_rbtree_t session_rbtree; |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1017
diff
changeset
|
117 ngx_rbtree_node_t sentinel; |
1760 | 118 ngx_queue_t expire_queue; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
119 } ngx_ssl_session_cache_t; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
120 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
121 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
122 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
123 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
124 typedef struct { |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6817
diff
changeset
|
125 size_t size; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
126 u_char name[16]; |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6817
diff
changeset
|
127 u_char hmac_key[32]; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6817
diff
changeset
|
128 u_char aes_key[32]; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
129 } ngx_ssl_session_ticket_key_t; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
130 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
131 #endif |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
132 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
133 |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
134 #define NGX_SSL_SSLv2 0x0002 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
135 #define NGX_SSL_SSLv3 0x0004 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
136 #define NGX_SSL_TLSv1 0x0008 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
137 #define NGX_SSL_TLSv1_1 0x0010 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
138 #define NGX_SSL_TLSv1_2 0x0020 |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
139 #define NGX_SSL_TLSv1_3 0x0040 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
140 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
141 |
547 | 142 #define NGX_SSL_BUFFER 1 |
577 | 143 #define NGX_SSL_CLIENT 2 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
144 |
547 | 145 #define NGX_SSL_BUFSIZE 16384 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
146 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
147 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
148 ngx_int_t ngx_ssl_init(ngx_log_t *log); |
969 | 149 ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data); |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6548
diff
changeset
|
150 ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6548
diff
changeset
|
151 ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords); |
563 | 152 ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
153 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); |
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6550
diff
changeset
|
154 ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6550
diff
changeset
|
155 ngx_uint_t prefer_server_ciphers); |
647 | 156 ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
671 | 157 ngx_str_t *cert, ngx_int_t depth); |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
158 ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
159 ngx_str_t *cert, ngx_int_t depth); |
2995 | 160 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
161 ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
162 ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
163 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
164 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout); |
5223
71d85de7b53b
Style: replace SSL *ssl with ngx_ssl_conn_t *ssl_conn.
Piotr Sikora <piotr@cloudflare.com>
parents:
4884
diff
changeset
|
165 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, |
71d85de7b53b
Style: replace SSL *ssl with ngx_ssl_conn_t *ssl_conn.
Piotr Sikora <piotr@cloudflare.com>
parents:
4884
diff
changeset
|
166 int key_length); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
167 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); |
2044 | 168 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); |
3960 | 169 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
170 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
171 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
172 ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
173 ngx_array_t *paths); |
3992
a1dd9dc754ab
A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
174 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); |
547 | 175 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, |
543 | 176 ngx_uint_t flags); |
577 | 177 |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
178 void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); |
577 | 179 ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session); |
611 | 180 #define ngx_ssl_get_session(c) SSL_get1_session(c->ssl->connection) |
181 #define ngx_ssl_free_session SSL_SESSION_free | |
969 | 182 #define ngx_ssl_get_connection(ssl_conn) \ |
183 SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index) | |
184 #define ngx_ssl_get_server_conf(ssl_ctx) \ | |
185 SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index) | |
611 | 186 |
4884
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
187 #define ngx_ssl_verify_error_optional(n) \ |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
188 (n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT \ |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
189 || n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN \ |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
190 || n == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY \ |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
191 || n == X509_V_ERR_CERT_UNTRUSTED \ |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
192 || n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
193 |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
194 ngx_int_t ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
195 |
611 | 196 |
671 | 197 ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, |
198 ngx_str_t *s); | |
199 ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, | |
200 ngx_str_t *s); | |
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
201 ngx_int_t ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
202 ngx_str_t *s); |
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
203 ngx_int_t ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
204 ngx_str_t *s); |
3154 | 205 ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, |
206 ngx_str_t *s); | |
5573
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5487
diff
changeset
|
207 ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5487
diff
changeset
|
208 ngx_str_t *s); |
5658
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
209 ngx_int_t ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
210 ngx_str_t *s); |
2123 | 211 ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
212 ngx_str_t *s); | |
2045 | 213 ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
214 ngx_str_t *s); | |
647 | 215 ngx_int_t ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, |
216 ngx_str_t *s); | |
217 ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, | |
218 ngx_str_t *s); | |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6735
diff
changeset
|
219 ngx_int_t ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6735
diff
changeset
|
220 ngx_str_t *s); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6735
diff
changeset
|
221 ngx_int_t ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6735
diff
changeset
|
222 ngx_str_t *s); |
671 | 223 ngx_int_t ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, |
224 ngx_str_t *s); | |
5700
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5661
diff
changeset
|
225 ngx_int_t ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5661
diff
changeset
|
226 ngx_str_t *s); |
2994 | 227 ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, |
228 ngx_str_t *s); | |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
229 ngx_int_t ngx_ssl_get_client_v_start(ngx_connection_t *c, ngx_pool_t *pool, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
230 ngx_str_t *s); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
231 ngx_int_t ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
232 ngx_str_t *s); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
233 ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
234 ngx_str_t *s); |
671 | 235 |
647 | 236 |
547 | 237 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); |
469 | 238 ssize_t ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size); |
539 | 239 ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size); |
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5777
diff
changeset
|
240 ssize_t ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
241 ngx_chain_t *ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, |
489 | 242 off_t limit); |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
243 void ngx_ssl_free_buffer(ngx_connection_t *c); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
244 ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c); |
583 | 245 void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, |
489 | 246 char *fmt, ...); |
509 | 247 void ngx_ssl_cleanup_ctx(void *data); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
248 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
249 |
969 | 250 extern int ngx_ssl_connection_index; |
251 extern int ngx_ssl_server_conf_index; | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
252 extern int ngx_ssl_session_cache_index; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
253 extern int ngx_ssl_session_ticket_keys_index; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
254 extern int ngx_ssl_certificate_index; |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6492
diff
changeset
|
255 extern int ngx_ssl_next_certificate_index; |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
256 extern int ngx_ssl_certificate_name_index; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
257 extern int ngx_ssl_stapling_index; |
671 | 258 |
259 | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
260 #endif /* _NGX_EVENT_OPENSSL_H_INCLUDED_ */ |