diff --git a/src/core/ngx_config.h b/src/core/ngx_config.h index ab73079a6..9762b18ca 100644 --- a/src/core/ngx_config.h +++ b/src/core/ngx_config.h @@ -127,5 +127,7 @@ typedef intptr_t ngx_flag_t; #define NGX_MAX_UINT32_VALUE (uint32_t) 0xffffffff #endif +#define NGX_MAX_INT32_VALUE (uint32_t) 0x7fffffff + #endif /* _NGX_CONFIG_H_INCLUDED_ */ diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index 0527c9c30..692f50639 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -371,28 +371,18 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) } -ngx_int_t -ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl) +RSA * +ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length) { - RSA *key; + static RSA *key; - if (SSL_CTX_need_tmp_RSA(ssl->ctx) == 0) { - return NGX_OK; + if (key_length == 512) { + if (key == NULL) { + key = RSA_generate_key(512, RSA_F4, NULL, NULL); + } } - key = RSA_generate_key(512, RSA_F4, NULL, NULL); - - if (key) { - SSL_CTX_set_tmp_rsa(ssl->ctx, key); - - RSA_free(key); - - return NGX_OK; - } - - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "RSA_generate_key(512) failed"); - - return NGX_ERROR; + return key; } @@ -478,6 +468,45 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) return NGX_OK; } +ngx_int_t +ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name) +{ +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL +#ifndef OPENSSL_NO_ECDH + int nid; + EC_KEY *ecdh; + + /* + * Elliptic-Curve Diffie-Hellman parameters are either "named curves" + * from RFC 4492 section 5.1.1, or explicitely described curves over + * binary fields. OpenSSL only supports the "named curves", which provide + * maximum interoperability. + */ + + nid = OBJ_sn2nid((const char *) name->data); + if (nid == 0) { + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, + "Unknown curve name \"%s\"", name->data); + return NGX_ERROR; + } + + ecdh = EC_KEY_new_by_curve_name(nid); + if (ecdh == NULL) { + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, + "Unable to create curve \"%s\"", name->data); + return NGX_ERROR; + } + + SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh); + + SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); + + EC_KEY_free(ecdh); +#endif +#endif + + return NGX_OK; +} ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) @@ -957,10 +986,10 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) } - /* the maximum limit size is the maximum uint32_t value - the page size */ + /* the maximum limit size is the maximum int32_t value - the page size */ - if (limit == 0 || limit > (off_t) (NGX_MAX_UINT32_VALUE - ngx_pagesize)) { - limit = NGX_MAX_UINT32_VALUE - ngx_pagesize; + if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) { + limit = NGX_MAX_INT32_VALUE - ngx_pagesize; } buf = c->ssl->buf; @@ -1687,20 +1716,24 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, u_char *id, int len, ngx_int_t rc; ngx_shm_zone_t *shm_zone; ngx_slab_pool_t *shpool; - ngx_connection_t *c; ngx_rbtree_node_t *node, *sentinel; ngx_ssl_session_t *sess; ngx_ssl_sess_id_t *sess_id; ngx_ssl_session_cache_t *cache; u_char buf[NGX_SSL_MAX_SESSION_SIZE]; - - c = ngx_ssl_get_connection(ssl_conn); +#if (NGX_DEBUG) + ngx_connection_t *c; +#endif hash = ngx_crc32_short(id, (size_t) len); *copy = 0; +#if (NGX_DEBUG) + c = ngx_ssl_get_connection(ssl_conn); + ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "ssl get session: %08XD:%d", hash, len); +#endif shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn), ngx_ssl_session_cache_index); diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h index a8f9d8757..204d5f08e 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -99,8 +99,9 @@ ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_int_t depth); ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); -ngx_int_t ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl); +RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length); ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); +ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 1860050d3..120a858df 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -13,7 +13,8 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); -#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" +#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" +#define NGX_DEFAULT_ECDH_CURVE "prime256v1" static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, @@ -78,6 +79,13 @@ static ngx_command_t ngx_http_ssl_commands[] = { offsetof(ngx_http_ssl_srv_conf_t, dhparam), NULL }, + { ngx_string("ssl_ecdh_curve"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve), + NULL }, + { ngx_string("ssl_protocols"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, ngx_conf_set_bitmask_slot, @@ -312,6 +320,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) * sscf->certificate = { 0, NULL }; * sscf->certificate_key = { 0, NULL }; * sscf->dhparam = { 0, NULL }; + * sscf->ecdh_curve = { 0, NULL }; * sscf->client_certificate = { 0, NULL }; * sscf->crl = { 0, NULL }; * sscf->ciphers = { 0, NULL }; @@ -360,6 +369,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) ""); ngx_conf_merge_str_value(conf->crl, prev->crl, ""); + ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, + NGX_DEFAULT_ECDH_CURVE); + ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); @@ -465,11 +477,13 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) } /* a temporary 512-bit RSA key is required for export versions of MSIE */ - if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { + SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); + + if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { return NGX_CONF_ERROR; } - if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { + if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { return NGX_CONF_ERROR; } diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h index 29eedc8ae..0a5dd1d8d 100644 --- a/src/http/modules/ngx_http_ssl_module.h +++ b/src/http/modules/ngx_http_ssl_module.h @@ -32,6 +32,7 @@ typedef struct { ngx_str_t certificate; ngx_str_t certificate_key; ngx_str_t dhparam; + ngx_str_t ecdh_curve; ngx_str_t client_certificate; ngx_str_t crl; diff --git a/src/http/ngx_http_upstream_round_robin.c b/src/http/ngx_http_upstream_round_robin.c index 52bd80858..de34b2884 100644 --- a/src/http/ngx_http_upstream_round_robin.c +++ b/src/http/ngx_http_upstream_round_robin.c @@ -14,6 +14,15 @@ static ngx_int_t ngx_http_upstream_cmp_servers(const void *one, static ngx_uint_t ngx_http_upstream_get_peer(ngx_http_upstream_rr_peers_t *peers); +#if (NGX_HTTP_SSL) + +static ngx_int_t ngx_http_upstream_empty_set_session(ngx_peer_connection_t *pc, + void *data); +static void ngx_http_upstream_empty_save_session(ngx_peer_connection_t *pc, + void *data); + +#endif + ngx_int_t ngx_http_upstream_init_round_robin(ngx_conf_t *cf, @@ -343,10 +352,8 @@ ngx_http_upstream_create_round_robin_peer(ngx_http_request_t *r, r->upstream->peer.free = ngx_http_upstream_free_round_robin_peer; r->upstream->peer.tries = rrp->peers->number; #if (NGX_HTTP_SSL) - r->upstream->peer.set_session = - ngx_http_upstream_set_round_robin_peer_session; - r->upstream->peer.save_session = - ngx_http_upstream_save_round_robin_peer_session; + r->upstream->peer.set_session = ngx_http_upstream_empty_set_session; + r->upstream->peer.save_session = ngx_http_upstream_empty_save_session; #endif return NGX_OK; @@ -757,4 +764,18 @@ ngx_http_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc, } } + +static ngx_int_t +ngx_http_upstream_empty_set_session(ngx_peer_connection_t *pc, void *data) +{ + return NGX_OK; +} + + +static void +ngx_http_upstream_empty_save_session(ngx_peer_connection_t *pc, void *data) +{ + return; +} + #endif diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c index 9dd9dfd15..5767a2fd4 100644 --- a/src/mail/ngx_mail_ssl_module.c +++ b/src/mail/ngx_mail_ssl_module.c @@ -9,7 +9,8 @@ #include -#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" +#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" +#define NGX_DEFAULT_ECDH_CURVE "prime256v1" static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf); @@ -77,6 +78,13 @@ static ngx_command_t ngx_mail_ssl_commands[] = { offsetof(ngx_mail_ssl_conf_t, dhparam), NULL }, + { ngx_string("ssl_ecdh_curve"), + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_MAIL_SRV_CONF_OFFSET, + offsetof(ngx_mail_ssl_conf_t, ecdh_curve), + NULL }, + { ngx_string("ssl_protocols"), NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE, ngx_conf_set_bitmask_slot, @@ -163,6 +171,7 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf) * scf->certificate = { 0, NULL }; * scf->certificate_key = { 0, NULL }; * scf->dhparam = { 0, NULL }; + * scf->ecdh_curve = { 0, NULL }; * scf->ciphers = { 0, NULL }; * scf->shm_zone = NULL; */ @@ -204,6 +213,9 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); + ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, + NGX_DEFAULT_ECDH_CURVE); + ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); @@ -286,9 +298,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); } - if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { - return NGX_CONF_ERROR; - } + SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { return NGX_CONF_ERROR; diff --git a/src/mail/ngx_mail_ssl_module.h b/src/mail/ngx_mail_ssl_module.h index b27da41d9..61a275b36 100644 --- a/src/mail/ngx_mail_ssl_module.h +++ b/src/mail/ngx_mail_ssl_module.h @@ -34,6 +34,7 @@ typedef struct { ngx_str_t certificate; ngx_str_t certificate_key; ngx_str_t dhparam; + ngx_str_t ecdh_curve; ngx_str_t ciphers;