Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 9199:875cd36b8617
SSL: disabled renegotiation checks with LibreSSL.
Similar to 7356:e3ba4026c02d, as long as SSL_OP_NO_CLIENT_RENEGOTIATION
is defined, it is the library responsibility to prevent renegotiation.
Additionally, this allows to raise LibreSSL version used to redefine
OPENSSL_VERSION_NUMBER to 0x1010000fL, such that this won't result in
attempts to dereference SSL objects made opaque in LibreSSL 3.4.0.
Patch by Maxim Dounin.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Mon, 25 Dec 2023 21:15:47 +0400 |
parents | 0ba26c99b3a1 |
children | 43fc897bbab8 |
comparison
equal
deleted
inserted
replaced
9198:514c518b9d6c | 9199:875cd36b8617 |
---|---|
1103 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) | 1103 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) |
1104 { | 1104 { |
1105 BIO *rbio, *wbio; | 1105 BIO *rbio, *wbio; |
1106 ngx_connection_t *c; | 1106 ngx_connection_t *c; |
1107 | 1107 |
1108 #ifndef SSL_OP_NO_RENEGOTIATION | 1108 #if (!defined SSL_OP_NO_RENEGOTIATION \ |
1109 && !defined SSL_OP_NO_CLIENT_RENEGOTIATION) | |
1109 | 1110 |
1110 if ((where & SSL_CB_HANDSHAKE_START) | 1111 if ((where & SSL_CB_HANDSHAKE_START) |
1111 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn)) | 1112 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn)) |
1112 { | 1113 { |
1113 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); | 1114 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
1836 c->send_chain = ngx_ssl_send_chain; | 1837 c->send_chain = ngx_ssl_send_chain; |
1837 | 1838 |
1838 c->read->ready = 1; | 1839 c->read->ready = 1; |
1839 c->write->ready = 1; | 1840 c->write->ready = 1; |
1840 | 1841 |
1841 #ifndef SSL_OP_NO_RENEGOTIATION | 1842 #if (!defined SSL_OP_NO_RENEGOTIATION \ |
1842 #if OPENSSL_VERSION_NUMBER < 0x10100000L | 1843 && !defined SSL_OP_NO_CLIENT_RENEGOTIATION \ |
1843 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS | 1844 && defined SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS \ |
1845 && OPENSSL_VERSION_NUMBER < 0x10100000L) | |
1844 | 1846 |
1845 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ | 1847 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ |
1846 if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) { | 1848 if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) { |
1847 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; | 1849 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; |
1848 } | 1850 } |
1849 | 1851 |
1850 #endif | |
1851 #endif | |
1852 #endif | 1852 #endif |
1853 | 1853 |
1854 #if (defined BIO_get_ktls_send && !NGX_WIN32) | 1854 #if (defined BIO_get_ktls_send && !NGX_WIN32) |
1855 | 1855 |
1856 if (BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)) == 1) { | 1856 if (BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)) == 1) { |
2481 ngx_ssl_handle_recv(ngx_connection_t *c, int n) | 2481 ngx_ssl_handle_recv(ngx_connection_t *c, int n) |
2482 { | 2482 { |
2483 int sslerr; | 2483 int sslerr; |
2484 ngx_err_t err; | 2484 ngx_err_t err; |
2485 | 2485 |
2486 #ifndef SSL_OP_NO_RENEGOTIATION | 2486 #if (!defined SSL_OP_NO_RENEGOTIATION \ |
2487 && !defined SSL_OP_NO_CLIENT_RENEGOTIATION) | |
2487 | 2488 |
2488 if (c->ssl->renegotiation) { | 2489 if (c->ssl->renegotiation) { |
2489 /* | 2490 /* |
2490 * disable renegotiation (CVE-2009-3555): | 2491 * disable renegotiation (CVE-2009-3555): |
2491 * OpenSSL (at least up to 0.9.8l) does not handle disabled | 2492 * OpenSSL (at least up to 0.9.8l) does not handle disabled |