mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-10 11:38:36 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

SSL: adjusted session id context with dynamic certificates.

Browse Source 
Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.

To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration.  This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.
This commit is contained in:
Maxim Dounin 2019-02-25 16:42:54 +03:00
parent fbcb0c8a33
commit ecfab06cb2
5 changed files with 31 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/event/ngx_event_openssl.c
View File

@ -54,7 +54,7 @@ static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr,
static void ngx_ssl_clear_error(ngx_log_t *log); static void ngx_ssl_clear_error(ngx_log_t *log);
static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl, static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl,
ngx_str_t *sess_ctx); ngx_str_t *sess_ctx, ngx_array_t *certificates);
static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn,
ngx_ssl_session_t *sess); ngx_ssl_session_t *sess);
static ngx_ssl_session_t *ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, static ngx_ssl_session_t *ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
@ -3013,13 +3013,14 @@ ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...)
ngx_int_t ngx_int_t
ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout) ngx_array_t *certificates, ssize_t builtin_session_cache,
ngx_shm_zone_t *shm_zone, time_t timeout)
{ {
long cache_mode; long cache_mode;
SSL_CTX_set_timeout(ssl->ctx, (long) timeout); SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
if (ngx_ssl_session_id_context(ssl, sess_ctx) != NGX_OK) { if (ngx_ssl_session_id_context(ssl, sess_ctx, certificates) != NGX_OK) {
return NGX_ERROR; return NGX_ERROR;
} }
@ -3085,11 +3086,14 @@ ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
static ngx_int_t static ngx_int_t
ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx) ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
ngx_array_t *certificates)
{ {
int n, i; int n, i;
X509 *cert; X509 *cert;
X509_NAME *name; X509_NAME *name;
ngx_str_t *certs;
ngx_uint_t k;
EVP_MD_CTX *md; EVP_MD_CTX *md;
unsigned int len; unsigned int len;
STACK_OF(X509_NAME) *list; STACK_OF(X509_NAME) *list;
@ -3134,6 +3138,24 @@ ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx)
} }
} }
if (SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index) == NULL) {
/*
* If certificates are loaded dynamically, we use certificate
* names as specified in the configuration (with variables).
*/
certs = certificates->elts;
for (k = 0; k < certificates->nelts; k++) {
if (EVP_DigestUpdate(md, certs[k].data, certs[k].len) == 0) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"EVP_DigestUpdate() failed");
goto failed;
}
}
}
list = SSL_CTX_get_client_CA_list(ssl->ctx); list = SSL_CTX_get_client_CA_list(ssl->ctx);
if (list != NULL) { if (list != NULL) {

3
src/event/ngx_event_openssl.h
View File

@ -192,7 +192,8 @@ ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_uint_t enable); ngx_uint_t enable);
ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); ngx_array_t *certificates, ssize_t builtin_session_cache,
ngx_shm_zone_t *shm_zone, time_t timeout);
ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_array_t *paths); ngx_array_t *paths);
ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);

2
src/http/modules/ngx_http_ssl_module.c
View File

@ -817,7 +817,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
} }
if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx, if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx,
conf->builtin_session_cache, conf->certificates, conf->builtin_session_cache,
conf->shm_zone, conf->session_timeout) conf->shm_zone, conf->session_timeout)
!= NGX_OK) != NGX_OK)
{ {

2
src/mail/ngx_mail_ssl_module.c
View File

@ -435,7 +435,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
} }
if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx, if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx,
conf->builtin_session_cache, conf->certificates, conf->builtin_session_cache,
conf->shm_zone, conf->session_timeout) conf->shm_zone, conf->session_timeout)
!= NGX_OK) != NGX_OK)
{ {

2
src/stream/ngx_stream_ssl_module.c
View File

@ -766,7 +766,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
} }
if (ngx_ssl_session_cache(&conf->ssl, &ngx_stream_ssl_sess_id_ctx, if (ngx_ssl_session_cache(&conf->ssl, &ngx_stream_ssl_sess_id_ctx,
conf->builtin_session_cache, conf->certificates, conf->builtin_session_cache,
conf->shm_zone, conf->session_timeout) conf->shm_zone, conf->session_timeout)
!= NGX_OK) != NGX_OK)
{ {