Mercurial > hg > nginx
comparison src/stream/ngx_stream_ssl_module.c @ 8889:61d0fa67b55e quic
Merged with the default branch.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Wed, 03 Nov 2021 11:22:07 +0300 |
parents | a550d4fa3581 46a02ed7c966 |
children | 5c86189a1c1b |
comparison
equal
deleted
inserted
replaced
8888:6d1488b62dc5 | 8889:61d0fa67b55e |
---|---|
21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); | 21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); |
22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, | 22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, |
23 ngx_connection_t *c); | 23 ngx_connection_t *c); |
24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); | 24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); |
25 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | 25 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
26 int ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg); | 26 static int ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, |
27 void *arg); | |
28 #endif | |
29 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation | |
30 static int ngx_stream_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, | |
31 const unsigned char **out, unsigned char *outlen, | |
32 const unsigned char *in, unsigned int inlen, void *arg); | |
27 #endif | 33 #endif |
28 #ifdef SSL_R_CERT_CB_ERROR | 34 #ifdef SSL_R_CERT_CB_ERROR |
29 static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg); | 35 static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg); |
30 #endif | 36 #endif |
31 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s, | 37 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
42 ngx_stream_ssl_conf_t *conf); | 48 ngx_stream_ssl_conf_t *conf); |
43 | 49 |
44 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, | 50 static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
45 void *conf); | 51 void *conf); |
46 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | 52 static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
53 void *conf); | |
54 static char *ngx_stream_ssl_alpn(ngx_conf_t *cf, ngx_command_t *cmd, | |
47 void *conf); | 55 void *conf); |
48 | 56 |
49 static char *ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, | 57 static char *ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, |
50 void *data); | 58 void *data); |
51 | 59 |
208 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2, | 216 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2, |
209 ngx_conf_set_keyval_slot, | 217 ngx_conf_set_keyval_slot, |
210 NGX_STREAM_SRV_CONF_OFFSET, | 218 NGX_STREAM_SRV_CONF_OFFSET, |
211 offsetof(ngx_stream_ssl_conf_t, conf_commands), | 219 offsetof(ngx_stream_ssl_conf_t, conf_commands), |
212 &ngx_stream_ssl_conf_command_post }, | 220 &ngx_stream_ssl_conf_command_post }, |
221 | |
222 { ngx_string("ssl_alpn"), | |
223 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE, | |
224 ngx_stream_ssl_alpn, | |
225 NGX_STREAM_SRV_CONF_OFFSET, | |
226 0, | |
227 NULL }, | |
213 | 228 |
214 ngx_null_command | 229 ngx_null_command |
215 }; | 230 }; |
216 | 231 |
217 | 232 |
264 (uintptr_t) ngx_ssl_get_session_reused, NGX_STREAM_VAR_CHANGEABLE, 0 }, | 279 (uintptr_t) ngx_ssl_get_session_reused, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
265 | 280 |
266 { ngx_string("ssl_server_name"), NULL, ngx_stream_ssl_variable, | 281 { ngx_string("ssl_server_name"), NULL, ngx_stream_ssl_variable, |
267 (uintptr_t) ngx_ssl_get_server_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, | 282 (uintptr_t) ngx_ssl_get_server_name, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
268 | 283 |
284 { ngx_string("ssl_alpn_protocol"), NULL, ngx_stream_ssl_variable, | |
285 (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 }, | |
286 | |
269 { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable, | 287 { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable, |
270 (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 }, | 288 (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 }, |
271 | 289 |
272 { ngx_string("ssl_client_raw_cert"), NULL, ngx_stream_ssl_variable, | 290 { ngx_string("ssl_client_raw_cert"), NULL, ngx_stream_ssl_variable, |
273 (uintptr_t) ngx_ssl_get_raw_certificate, | 291 (uintptr_t) ngx_ssl_get_raw_certificate, |
432 } | 450 } |
433 | 451 |
434 | 452 |
435 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | 453 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
436 | 454 |
437 int | 455 static int |
438 ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) | 456 ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) |
439 { | 457 { |
440 return SSL_TLSEXT_ERR_OK; | 458 return SSL_TLSEXT_ERR_OK; |
441 } | 459 } |
442 | 460 |
443 #endif | 461 #endif |
444 | 462 |
445 | 463 |
464 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation | |
465 | |
466 static int | |
467 ngx_stream_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, | |
468 unsigned char *outlen, const unsigned char *in, unsigned int inlen, | |
469 void *arg) | |
470 { | |
471 ngx_str_t *alpn; | |
472 #if (NGX_DEBUG) | |
473 unsigned int i; | |
474 ngx_connection_t *c; | |
475 | |
476 c = ngx_ssl_get_connection(ssl_conn); | |
477 | |
478 for (i = 0; i < inlen; i += in[i] + 1) { | |
479 ngx_log_debug2(NGX_LOG_DEBUG_STREAM, c->log, 0, | |
480 "SSL ALPN supported by client: %*s", | |
481 (size_t) in[i], &in[i + 1]); | |
482 } | |
483 | |
484 #endif | |
485 | |
486 alpn = arg; | |
487 | |
488 if (SSL_select_next_proto((unsigned char **) out, outlen, alpn->data, | |
489 alpn->len, in, inlen) | |
490 != OPENSSL_NPN_NEGOTIATED) | |
491 { | |
492 return SSL_TLSEXT_ERR_ALERT_FATAL; | |
493 } | |
494 | |
495 ngx_log_debug2(NGX_LOG_DEBUG_STREAM, c->log, 0, | |
496 "SSL ALPN selected: %*s", (size_t) *outlen, *out); | |
497 | |
498 return SSL_TLSEXT_ERR_OK; | |
499 } | |
500 | |
501 #endif | |
502 | |
503 | |
446 #ifdef SSL_R_CERT_CB_ERROR | 504 #ifdef SSL_R_CERT_CB_ERROR |
447 | 505 |
448 int | 506 static int |
449 ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg) | 507 ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg) |
450 { | 508 { |
451 ngx_str_t cert, key; | 509 ngx_str_t cert, key; |
452 ngx_uint_t i, nelts; | 510 ngx_uint_t i, nelts; |
453 ngx_connection_t *c; | 511 ngx_connection_t *c; |
600 * scf->dhparam = { 0, NULL }; | 658 * scf->dhparam = { 0, NULL }; |
601 * scf->ecdh_curve = { 0, NULL }; | 659 * scf->ecdh_curve = { 0, NULL }; |
602 * scf->client_certificate = { 0, NULL }; | 660 * scf->client_certificate = { 0, NULL }; |
603 * scf->trusted_certificate = { 0, NULL }; | 661 * scf->trusted_certificate = { 0, NULL }; |
604 * scf->crl = { 0, NULL }; | 662 * scf->crl = { 0, NULL }; |
663 * scf->alpn = { 0, NULL }; | |
605 * scf->ciphers = { 0, NULL }; | 664 * scf->ciphers = { 0, NULL }; |
606 * scf->shm_zone = NULL; | 665 * scf->shm_zone = NULL; |
607 */ | 666 */ |
608 | 667 |
609 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; | 668 scf->handshake_timeout = NGX_CONF_UNSET_MSEC; |
658 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, | 717 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
659 ""); | 718 ""); |
660 ngx_conf_merge_str_value(conf->trusted_certificate, | 719 ngx_conf_merge_str_value(conf->trusted_certificate, |
661 prev->trusted_certificate, ""); | 720 prev->trusted_certificate, ""); |
662 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); | 721 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
722 ngx_conf_merge_str_value(conf->alpn, prev->alpn, ""); | |
663 | 723 |
664 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, | 724 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
665 NGX_DEFAULT_ECDH_CURVE); | 725 NGX_DEFAULT_ECDH_CURVE); |
666 | 726 |
667 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 727 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
718 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | 778 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
719 SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, | 779 SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, |
720 ngx_stream_ssl_servername); | 780 ngx_stream_ssl_servername); |
721 #endif | 781 #endif |
722 | 782 |
783 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation | |
784 if (conf->alpn.len) { | |
785 SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_stream_ssl_alpn_select, | |
786 &conf->alpn); | |
787 } | |
788 #endif | |
789 | |
723 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, | 790 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
724 conf->prefer_server_ciphers) | 791 conf->prefer_server_ciphers) |
725 != NGX_OK) | 792 != NGX_OK) |
726 { | 793 { |
727 return NGX_CONF_ERROR; | 794 return NGX_CONF_ERROR; |
1055 return NGX_CONF_ERROR; | 1122 return NGX_CONF_ERROR; |
1056 } | 1123 } |
1057 | 1124 |
1058 | 1125 |
1059 static char * | 1126 static char * |
1127 ngx_stream_ssl_alpn(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
1128 { | |
1129 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation | |
1130 | |
1131 ngx_stream_ssl_conf_t *scf = conf; | |
1132 | |
1133 u_char *p; | |
1134 size_t len; | |
1135 ngx_str_t *value; | |
1136 ngx_uint_t i; | |
1137 | |
1138 if (scf->alpn.len) { | |
1139 return "is duplicate"; | |
1140 } | |
1141 | |
1142 value = cf->args->elts; | |
1143 | |
1144 len = 0; | |
1145 | |
1146 for (i = 1; i < cf->args->nelts; i++) { | |
1147 | |
1148 if (value[i].len > 255) { | |
1149 return "protocol too long"; | |
1150 } | |
1151 | |
1152 len += value[i].len + 1; | |
1153 } | |
1154 | |
1155 scf->alpn.data = ngx_pnalloc(cf->pool, len); | |
1156 if (scf->alpn.data == NULL) { | |
1157 return NGX_CONF_ERROR; | |
1158 } | |
1159 | |
1160 p = scf->alpn.data; | |
1161 | |
1162 for (i = 1; i < cf->args->nelts; i++) { | |
1163 *p++ = value[i].len; | |
1164 p = ngx_cpymem(p, value[i].data, value[i].len); | |
1165 } | |
1166 | |
1167 scf->alpn.len = len; | |
1168 | |
1169 return NGX_CONF_OK; | |
1170 | |
1171 #else | |
1172 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
1173 "the \"ssl_alpn\" directive requires OpenSSL " | |
1174 "with ALPN support"); | |
1175 return NGX_CONF_ERROR; | |
1176 #endif | |
1177 } | |
1178 | |
1179 | |
1180 static char * | |
1060 ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) | 1181 ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) |
1061 { | 1182 { |
1062 #ifndef SSL_CONF_FLAG_FILE | 1183 #ifndef SSL_CONF_FLAG_FILE |
1063 return "is not supported on this platform"; | 1184 return "is not supported on this platform"; |
1064 #else | 1185 #else |