← Back to branch summary

~ubuntu-branches/ubuntu/lucid/nginx/lucid

« back to all changes in this revision

Viewing changes to src/http/modules/ngx_http_ssl_module.c

  • Committer: Bazaar Package Importer
  • Author(s): Fabio Tranchitella
  • Date: 2009-05-31 18:38:56 UTC
  • mfrom: (1.1.11 upstream) (4.2.2 sid)
  • Revision ID: james.westby@ubuntu.com-20090531183856-lkdgdzr9m731fz92
Tags: 0.7.59-1
http://bugs.debian.org/515904
http://bugs.debian.org/507913
http://bugs.debian.org/509390
http://bugs.debian.org/524785
* New upstream release, first in Debian for the 0.7 branch. Among other
  issues, it also fixes the problem with wildcard dns names used with SSL.
  (Closes: #515904)
* debian/watch: updated.
* debian/postinst: fixed a bashism. (Closes: #507913)
* debian/conf/nginx.conf: removed default_type. (Closes: #509390)
* debian/control: updated Standards-Version to 3.8.1, no changes needed.
* debian/NEWS.Debian: documented the issues with
  server_names_hash_bucket_size. (Closes: #524785)

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/http/modules/ngx_http_ssl_module.c
13
13
    ngx_pool_t *pool, ngx_str_t *s);
14
14
 
15
15
 
16
 
#define NGX_DEFLAUT_CERTIFICATE      "cert.pem"
17
 
#define NGX_DEFLAUT_CERTIFICATE_KEY  "cert.pem"
18
 
#define NGX_DEFLAUT_CIPHERS  "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
 
16
#define NGX_DEFAULT_CIPHERS  "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
19
17
 
20
18
 
21
19
static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
28
26
static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
29
27
    void *parent, void *child);
30
28
 
 
29
static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
 
30
    void *conf);
31
31
static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
32
32
    void *conf);
33
33
 
49
49
};
50
50
 
51
51
 
 
52
static ngx_conf_enum_t  ngx_http_ssl_verify[] = {
 
53
    { ngx_string("off"), 0 },
 
54
    { ngx_string("on"), 1 },
 
55
    { ngx_string("ask"), 2 },
 
56
    { ngx_null_string, 0 }
 
57
};
 
58
 
 
59
 
52
60
static ngx_command_t  ngx_http_ssl_commands[] = {
53
61
 
54
62
    { ngx_string("ssl"),
55
63
      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
56
 
      ngx_conf_set_flag_slot,
 
64
      ngx_http_ssl_enable,
57
65
      NGX_HTTP_SRV_CONF_OFFSET,
58
66
      offsetof(ngx_http_ssl_srv_conf_t, enable),
59
67
      NULL },
72
80
      offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
73
81
      NULL },
74
82
 
 
83
    { ngx_string("ssl_dhparam"),
 
84
      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
 
85
      ngx_conf_set_str_slot,
 
86
      NGX_HTTP_SRV_CONF_OFFSET,
 
87
      offsetof(ngx_http_ssl_srv_conf_t, dhparam),
 
88
      NULL },
 
89
 
75
90
    { ngx_string("ssl_protocols"),
76
91
      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
77
92
      ngx_conf_set_bitmask_slot,
88
103
 
89
104
    { ngx_string("ssl_verify_client"),
90
105
      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
91
 
      ngx_conf_set_flag_slot,
 
106
      ngx_conf_set_enum_slot,
92
107
      NGX_HTTP_SRV_CONF_OFFSET,
93
108
      offsetof(ngx_http_ssl_srv_conf_t, verify),
94
 
      NULL },
 
109
      &ngx_http_ssl_verify },
95
110
 
96
111
    { ngx_string("ssl_verify_depth"),
97
112
      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
175
190
    { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
176
191
      (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
177
192
 
 
193
    { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
 
194
      (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
195
 
 
196
    { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable,
 
197
      (uintptr_t) ngx_ssl_get_raw_certificate,
 
198
      NGX_HTTP_VAR_CHANGEABLE, 0 },
 
199
 
178
200
    { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable,
179
201
      (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
180
202
 
287
309
     * set by ngx_pcalloc():
288
310
     *
289
311
     *     sscf->protocols = 0;
290
 
     *     sscf->certificate.len = 0;
291
 
     *     sscf->certificate.data = NULL;
292
 
     *     sscf->certificate_key.len = 0;
293
 
     *     sscf->certificate_key.data = NULL;
294
 
     *     sscf->client_certificate.len = 0;
295
 
     *     sscf->client_certificate.data = NULL;
 
312
     *     sscf->certificate = { 0, NULL };
 
313
     *     sscf->certificate_key = { 0, NULL };
 
314
     *     sscf->dhparam = { 0, NULL };
 
315
     *     sscf->client_certificate = { 0, NULL };
296
316
     *     sscf->ciphers.len = 0;
297
317
     *     sscf->ciphers.data = NULL;
298
318
     *     sscf->shm_zone = NULL;
299
319
     */
300
320
 
301
321
    sscf->enable = NGX_CONF_UNSET;
302
 
    sscf->verify = NGX_CONF_UNSET;
303
 
    sscf->verify_depth = NGX_CONF_UNSET;
304
322
    sscf->prefer_server_ciphers = NGX_CONF_UNSET;
 
323
    sscf->verify = NGX_CONF_UNSET_UINT;
 
324
    sscf->verify_depth = NGX_CONF_UNSET_UINT;
305
325
    sscf->builtin_session_cache = NGX_CONF_UNSET;
306
326
    sscf->session_timeout = NGX_CONF_UNSET;
307
327
 
319
339
 
320
340
    ngx_conf_merge_value(conf->enable, prev->enable, 0);
321
341
 
322
 
    if (conf->enable == 0) {
323
 
        return NGX_CONF_OK;
324
 
    }
325
 
 
326
342
    ngx_conf_merge_value(conf->session_timeout,
327
343
                         prev->session_timeout, 300);
328
344
 
333
349
                         (NGX_CONF_BITMASK_SET
334
350
                          |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
335
351
 
336
 
    ngx_conf_merge_value(conf->verify, prev->verify, 0);
337
 
    ngx_conf_merge_value(conf->verify_depth, prev->verify_depth, 1);
338
 
 
339
 
    ngx_conf_merge_str_value(conf->certificate, prev->certificate,
340
 
                         NGX_DEFLAUT_CERTIFICATE);
341
 
 
342
 
    ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
343
 
                         NGX_DEFLAUT_CERTIFICATE_KEY);
 
352
    ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
 
353
    ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
 
354
 
 
355
    ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
 
356
    ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
 
357
 
 
358
    ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
344
359
 
345
360
    ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
346
361
                         "");
347
362
 
348
 
    ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS);
 
363
    ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
349
364
 
350
365
 
351
366
    conf->ssl.log = cf->log;
352
367
 
 
368
    if (conf->enable) {
 
369
 
 
370
        if (conf->certificate.len == 0) {
 
371
            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
 
372
                          "no \"ssl_certificate\" is defined for "
 
373
                          "the \"ssl\" directive in %s:%ui",
 
374
                          conf->file, conf->line);
 
375
            return NGX_CONF_ERROR;
 
376
        }
 
377
 
 
378
        if (conf->certificate_key.len == 0) {
 
379
            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
 
380
                          "no \"ssl_certificate_key\" is defined for "
 
381
                          "the \"ssl\" directive in %s:%ui",
 
382
                          conf->file, conf->line);
 
383
            return NGX_CONF_ERROR;
 
384
        }
 
385
 
 
386
    } else {
 
387
 
 
388
        if (conf->certificate.len == 0) {
 
389
            return NGX_CONF_OK;
 
390
        }
 
391
 
 
392
        if (conf->certificate_key.len == 0) {
 
393
            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
 
394
                          "no \"ssl_certificate_key\" is defined "
 
395
                          "for certificate \"%V\"", &conf->certificate);
 
396
            return NGX_CONF_ERROR;
 
397
        }
 
398
    }
 
399
 
353
400
    if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
354
401
        return NGX_CONF_ERROR;
355
402
    }
392
439
    }
393
440
 
394
441
    if (conf->verify) {
 
442
 
 
443
        if (conf->client_certificate.len == 0) {
 
444
            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
 
445
                          "no ssl_client_certificate for ssl_client_verify");
 
446
            return NGX_CONF_ERROR;
 
447
        }
 
448
 
395
449
        if (ngx_ssl_client_certificate(cf, &conf->ssl,
396
450
                                       &conf->client_certificate,
397
451
                                       conf->verify_depth)
414
468
        return NGX_CONF_ERROR;
415
469
    }
416
470
 
 
471
    if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
 
472
        return NGX_CONF_ERROR;
 
473
    }
 
474
 
417
475
    ngx_conf_merge_value(conf->builtin_session_cache,
418
476
                         prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
419
477
 
434
492
 
435
493
 
436
494
static char *
 
495
ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 
496
{
 
497
    ngx_http_ssl_srv_conf_t *sscf = conf;
 
498
 
 
499
    char  *rv;
 
500
 
 
501
    rv = ngx_conf_set_flag_slot(cf, cmd, conf);
 
502
 
 
503
    if (rv != NGX_CONF_OK) {
 
504
        return rv;
 
505
    }
 
506
 
 
507
    sscf->file = cf->conf_file->file.name.data;
 
508
    sscf->line = cf->conf_file->line;
 
509
 
 
510
    return NGX_CONF_OK;
 
511
}
 
512
 
 
513
 
 
514
static char *
437
515
ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
438
516
{
439
517
    ngx_http_ssl_srv_conf_t *sscf = conf;
486
564
 
487
565
            for (j = sizeof("shared:") - 1; j < value[i].len; j++) {
488
566
                if (value[i].data[j] == ':') {
 
567
                    value[i].data[j] = '\0';
489
568
                    break;
490
569
                }
491
570