One Level Up Top Level

src/http/modules/ngx_http_ssl_module.c - nginx source code

Global variables defined

Data types defined

Functions defined

Macros defined

Source code


  2. /*
  3. * Copyright (C) Igor Sysoev
  4. * Copyright (C) Nginx, Inc.
  5. */


  8. #include <ngx_config.h>
  9. #include <ngx_core.h>
  10. #include <ngx_http.h>

  12. #if (NGX_QUIC_OPENSSL_COMPAT)
  13. #include <ngx_event_quic_openssl_compat.h>
  14. #endif


  17. typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
  18.     ngx_pool_t *pool, ngx_str_t *s);


  21. #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
  22. #define NGX_DEFAULT_ECDH_CURVE  "auto"

  24. #define NGX_HTTP_ALPN_PROTOS    "\x08http/1.1\x08http/1.0\x08http/0.9"


  27. #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
  28. static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
  29.     const unsigned char **out, unsigned char *outlen,
  30.     const unsigned char *in, unsigned int inlen, void *arg);
  31. #endif

  33. static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
  34.     ngx_http_variable_value_t *v, uintptr_t data);
  35. static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r,
  36.     ngx_http_variable_value_t *v, uintptr_t data);

  38. static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf);
  39. static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf);
  40. static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
  41.     void *parent, void *child);

  43. static ngx_int_t ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
  44.     ngx_http_ssl_srv_conf_t *conf);

  46. static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
  47.     void *conf);
  48. static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
  49.     void *conf);
  50. static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd,
  51.     void *conf);

  53. static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post,
  54.     void *data);

  56. static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf);
  57. #if (NGX_QUIC_OPENSSL_COMPAT)
  58. static ngx_int_t ngx_http_ssl_quic_compat_init(ngx_conf_t *cf,
  59.     ngx_http_conf_addr_t *addr);
  60. #endif


  63. static ngx_conf_bitmask_t  ngx_http_ssl_protocols[] = {
  64.     { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
  65.     { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
  66.     { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
  67.     { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
  68.     { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
  69.     { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
  70.     { ngx_null_string, 0 }
  71. };


  74. static ngx_conf_enum_t  ngx_http_ssl_verify[] = {
  75.     { ngx_string("off"), 0 },
  76.     { ngx_string("on"), 1 },
  77.     { ngx_string("optional"), 2 },
  78.     { ngx_string("optional_no_ca"), 3 },
  79.     { ngx_null_string, 0 }
  80. };


  83. static ngx_conf_enum_t  ngx_http_ssl_ocsp[] = {
  84.     { ngx_string("off"), 0 },
  85.     { ngx_string("on"), 1 },
  86.     { ngx_string("leaf"), 2 },
  87.     { ngx_null_string, 0 }
  88. };


  91. static ngx_conf_post_t  ngx_http_ssl_conf_command_post =
  92.     { ngx_http_ssl_conf_command_check };


  95. static ngx_command_t  ngx_http_ssl_commands[] = {

  97.     { ngx_string("ssl_certificate"),
  98.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  99.       ngx_conf_set_str_array_slot,
  100.       NGX_HTTP_SRV_CONF_OFFSET,
  101.       offsetof(ngx_http_ssl_srv_conf_t, certificates),
  102.       NULL },

  104.     { ngx_string("ssl_certificate_key"),
  105.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  106.       ngx_conf_set_str_array_slot,
  107.       NGX_HTTP_SRV_CONF_OFFSET,
  108.       offsetof(ngx_http_ssl_srv_conf_t, certificate_keys),
  109.       NULL },

  111.     { ngx_string("ssl_password_file"),
  112.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  113.       ngx_http_ssl_password_file,
  114.       NGX_HTTP_SRV_CONF_OFFSET,
  115.       0,
  116.       NULL },

  118.     { ngx_string("ssl_dhparam"),
  119.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  120.       ngx_conf_set_str_slot,
  121.       NGX_HTTP_SRV_CONF_OFFSET,
  122.       offsetof(ngx_http_ssl_srv_conf_t, dhparam),
  123.       NULL },

  125.     { ngx_string("ssl_ecdh_curve"),
  126.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  127.       ngx_conf_set_str_slot,
  128.       NGX_HTTP_SRV_CONF_OFFSET,
  129.       offsetof(ngx_http_ssl_srv_conf_t, ecdh_curve),
  130.       NULL },

  132.     { ngx_string("ssl_protocols"),
  133.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
  134.       ngx_conf_set_bitmask_slot,
  135.       NGX_HTTP_SRV_CONF_OFFSET,
  136.       offsetof(ngx_http_ssl_srv_conf_t, protocols),
  137.       &ngx_http_ssl_protocols },

  139.     { ngx_string("ssl_ciphers"),
  140.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  141.       ngx_conf_set_str_slot,
  142.       NGX_HTTP_SRV_CONF_OFFSET,
  143.       offsetof(ngx_http_ssl_srv_conf_t, ciphers),
  144.       NULL },

  146.     { ngx_string("ssl_buffer_size"),
  147.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  148.       ngx_conf_set_size_slot,
  149.       NGX_HTTP_SRV_CONF_OFFSET,
  150.       offsetof(ngx_http_ssl_srv_conf_t, buffer_size),
  151.       NULL },

  153.     { ngx_string("ssl_verify_client"),
  154.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  155.       ngx_conf_set_enum_slot,
  156.       NGX_HTTP_SRV_CONF_OFFSET,
  157.       offsetof(ngx_http_ssl_srv_conf_t, verify),
  158.       &ngx_http_ssl_verify },

  160.     { ngx_string("ssl_verify_depth"),
  161.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  162.       ngx_conf_set_num_slot,
  163.       NGX_HTTP_SRV_CONF_OFFSET,
  164.       offsetof(ngx_http_ssl_srv_conf_t, verify_depth),
  165.       NULL },

  167.     { ngx_string("ssl_client_certificate"),
  168.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  169.       ngx_conf_set_str_slot,
  170.       NGX_HTTP_SRV_CONF_OFFSET,
  171.       offsetof(ngx_http_ssl_srv_conf_t, client_certificate),
  172.       NULL },

  174.     { ngx_string("ssl_trusted_certificate"),
  175.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  176.       ngx_conf_set_str_slot,
  177.       NGX_HTTP_SRV_CONF_OFFSET,
  178.       offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate),
  179.       NULL },

  181.     { ngx_string("ssl_prefer_server_ciphers"),
  182.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
  183.       ngx_conf_set_flag_slot,
  184.       NGX_HTTP_SRV_CONF_OFFSET,
  185.       offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers),
  186.       NULL },

  188.     { ngx_string("ssl_session_cache"),
  189.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12,
  190.       ngx_http_ssl_session_cache,
  191.       NGX_HTTP_SRV_CONF_OFFSET,
  192.       0,
  193.       NULL },

  195.     { ngx_string("ssl_session_tickets"),
  196.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
  197.       ngx_conf_set_flag_slot,
  198.       NGX_HTTP_SRV_CONF_OFFSET,
  199.       offsetof(ngx_http_ssl_srv_conf_t, session_tickets),
  200.       NULL },

  202.     { ngx_string("ssl_session_ticket_key"),
  203.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  204.       ngx_conf_set_str_array_slot,
  205.       NGX_HTTP_SRV_CONF_OFFSET,
  206.       offsetof(ngx_http_ssl_srv_conf_t, session_ticket_keys),
  207.       NULL },

  209.     { ngx_string("ssl_session_timeout"),
  210.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  211.       ngx_conf_set_sec_slot,
  212.       NGX_HTTP_SRV_CONF_OFFSET,
  213.       offsetof(ngx_http_ssl_srv_conf_t, session_timeout),
  214.       NULL },

  216.     { ngx_string("ssl_crl"),
  217.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  218.       ngx_conf_set_str_slot,
  219.       NGX_HTTP_SRV_CONF_OFFSET,
  220.       offsetof(ngx_http_ssl_srv_conf_t, crl),
  221.       NULL },

  223.     { ngx_string("ssl_ocsp"),
  224.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
  225.       ngx_conf_set_enum_slot,
  226.       NGX_HTTP_SRV_CONF_OFFSET,
  227.       offsetof(ngx_http_ssl_srv_conf_t, ocsp),
  228.       &ngx_http_ssl_ocsp },

  230.     { ngx_string("ssl_ocsp_responder"),
  231.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  232.       ngx_conf_set_str_slot,
  233.       NGX_HTTP_SRV_CONF_OFFSET,
  234.       offsetof(ngx_http_ssl_srv_conf_t, ocsp_responder),
  235.       NULL },

  237.     { ngx_string("ssl_ocsp_cache"),
  238.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  239.       ngx_http_ssl_ocsp_cache,
  240.       NGX_HTTP_SRV_CONF_OFFSET,
  241.       0,
  242.       NULL },

  244.     { ngx_string("ssl_stapling"),
  245.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
  246.       ngx_conf_set_flag_slot,
  247.       NGX_HTTP_SRV_CONF_OFFSET,
  248.       offsetof(ngx_http_ssl_srv_conf_t, stapling),
  249.       NULL },

  251.     { ngx_string("ssl_stapling_file"),
  252.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  253.       ngx_conf_set_str_slot,
  254.       NGX_HTTP_SRV_CONF_OFFSET,
  255.       offsetof(ngx_http_ssl_srv_conf_t, stapling_file),
  256.       NULL },

  258.     { ngx_string("ssl_stapling_responder"),
  259.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
  260.       ngx_conf_set_str_slot,
  261.       NGX_HTTP_SRV_CONF_OFFSET,
  262.       offsetof(ngx_http_ssl_srv_conf_t, stapling_responder),
  263.       NULL },

  265.     { ngx_string("ssl_stapling_verify"),
  266.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
  267.       ngx_conf_set_flag_slot,
  268.       NGX_HTTP_SRV_CONF_OFFSET,
  269.       offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
  270.       NULL },

  272.     { ngx_string("ssl_early_data"),
  273.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
  274.       ngx_conf_set_flag_slot,
  275.       NGX_HTTP_SRV_CONF_OFFSET,
  276.       offsetof(ngx_http_ssl_srv_conf_t, early_data),
  277.       NULL },

  279.     { ngx_string("ssl_conf_command"),
  280.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE2,
  281.       ngx_conf_set_keyval_slot,
  282.       NGX_HTTP_SRV_CONF_OFFSET,
  283.       offsetof(ngx_http_ssl_srv_conf_t, conf_commands),
  284.       &ngx_http_ssl_conf_command_post },

  286.     { ngx_string("ssl_reject_handshake"),
  287.       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
  288.       ngx_conf_set_flag_slot,
  289.       NGX_HTTP_SRV_CONF_OFFSET,
  290.       offsetof(ngx_http_ssl_srv_conf_t, reject_handshake),
  291.       NULL },

  293.       ngx_null_command
  294. };


  297. static ngx_http_module_t  ngx_http_ssl_module_ctx = {
  298.     ngx_http_ssl_add_variables,            /* preconfiguration */
  299.     ngx_http_ssl_init,                     /* postconfiguration */

  301.     NULL,                                  /* create main configuration */
  302.     NULL,                                  /* init main configuration */

  304.     ngx_http_ssl_create_srv_conf,          /* create server configuration */
  305.     ngx_http_ssl_merge_srv_conf,           /* merge server configuration */

  307.     NULL,                                  /* create location configuration */
  308.     NULL                                   /* merge location configuration */
  309. };


  312. ngx_module_t  ngx_http_ssl_module = {
  313.     NGX_MODULE_V1,
  314.     &ngx_http_ssl_module_ctx,              /* module context */
  315.     ngx_http_ssl_commands,                 /* module directives */
  316.     NGX_HTTP_MODULE,                       /* module type */
  317.     NULL,                                  /* init master */
  318.     NULL,                                  /* init module */
  319.     NULL,                                  /* init process */
  320.     NULL,                                  /* init thread */
  321.     NULL,                                  /* exit thread */
  322.     NULL,                                  /* exit process */
  323.     NULL,                                  /* exit master */
  324.     NGX_MODULE_V1_PADDING
  325. };


  328. static ngx_http_variable_t  ngx_http_ssl_vars[] = {

  330.     { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable,
  331.       (uintptr_t) ngx_ssl_get_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 },

  333.     { ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
  334.       (uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 },

  336.     { ngx_string("ssl_ciphers"), NULL, ngx_http_ssl_variable,
  337.       (uintptr_t) ngx_ssl_get_ciphers, NGX_HTTP_VAR_CHANGEABLE, 0 },

  339.     { ngx_string("ssl_curve"), NULL, ngx_http_ssl_variable,
  340.       (uintptr_t) ngx_ssl_get_curve, NGX_HTTP_VAR_CHANGEABLE, 0 },

  342.     { ngx_string("ssl_curves"), NULL, ngx_http_ssl_variable,
  343.       (uintptr_t) ngx_ssl_get_curves, NGX_HTTP_VAR_CHANGEABLE, 0 },

  345.     { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
  346.       (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },

  348.     { ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable,
  349.       (uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 },

  351.     { ngx_string("ssl_early_data"), NULL, ngx_http_ssl_variable,
  352.       (uintptr_t) ngx_ssl_get_early_data,
  353.       NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 },

  355.     { ngx_string("ssl_server_name"), NULL, ngx_http_ssl_variable,
  356.       (uintptr_t) ngx_ssl_get_server_name, NGX_HTTP_VAR_CHANGEABLE, 0 },

  358.     { ngx_string("ssl_alpn_protocol"), NULL, ngx_http_ssl_variable,
  359.       (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 },

  361.     { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
  362.       (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },

  364.     { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable,
  365.       (uintptr_t) ngx_ssl_get_raw_certificate,
  366.       NGX_HTTP_VAR_CHANGEABLE, 0 },

  368.     { ngx_string("ssl_client_escaped_cert"), NULL, ngx_http_ssl_variable,
  369.       (uintptr_t) ngx_ssl_get_escaped_certificate,
  370.       NGX_HTTP_VAR_CHANGEABLE, 0 },

  372.     { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable,
  373.       (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },

  375.     { ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable,
  376.       (uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },

  378.     { ngx_string("ssl_client_s_dn_legacy"), NULL, ngx_http_ssl_variable,
  379.       (uintptr_t) ngx_ssl_get_subject_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 },

  381.     { ngx_string("ssl_client_i_dn_legacy"), NULL, ngx_http_ssl_variable,
  382.       (uintptr_t) ngx_ssl_get_issuer_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 },

  384.     { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable,
  385.       (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 },

  387.     { ngx_string("ssl_client_fingerprint"), NULL, ngx_http_ssl_variable,
  388.       (uintptr_t) ngx_ssl_get_fingerprint, NGX_HTTP_VAR_CHANGEABLE, 0 },

  390.     { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable,
  391.       (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 },

  393.     { ngx_string("ssl_client_v_start"), NULL, ngx_http_ssl_variable,
  394.       (uintptr_t) ngx_ssl_get_client_v_start, NGX_HTTP_VAR_CHANGEABLE, 0 },

  396.     { ngx_string("ssl_client_v_end"), NULL, ngx_http_ssl_variable,
  397.       (uintptr_t) ngx_ssl_get_client_v_end, NGX_HTTP_VAR_CHANGEABLE, 0 },

  399.     { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
  400.       (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },

  402.       ngx_http_null_variable
  403. };


  406. static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");


  409. #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation

  411. static int
  412. ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out,
  413.     unsigned char *outlen, const unsigned char *in, unsigned int inlen,
  414.     void *arg)
  415. {
  416.     unsigned int             srvlen;
  417.     unsigned char           *srv;
  418. #if (NGX_DEBUG)
  419.     unsigned int             i;
  420. #endif
  421. #if (NGX_HTTP_V2 || NGX_HTTP_V3)
  422.     ngx_http_connection_t   *hc;
  423. #endif
  424. #if (NGX_HTTP_V2)
  425.     ngx_http_v2_srv_conf_t  *h2scf;
  426. #endif
  427. #if (NGX_HTTP_V3)
  428.     ngx_http_v3_srv_conf_t  *h3scf;
  429. #endif
  430. #if (NGX_HTTP_V2 || NGX_HTTP_V3 || NGX_DEBUG)
  431.     ngx_connection_t        *c;

  433.     c = ngx_ssl_get_connection(ssl_conn);
  434. #endif

  436. #if (NGX_DEBUG)
  437.     for (i = 0; i < inlen; i += in[i] + 1) {
  438.         ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
  439.                        "SSL ALPN supported by client: %*s",
  440.                        (size_t) in[i], &in[i + 1]);
  441.     }
  442. #endif

  444. #if (NGX_HTTP_V2 || NGX_HTTP_V3)
  445.     hc = c->data;
  446. #endif

  448. #if (NGX_HTTP_V3)
  449.     if (hc->addr_conf->quic) {

  451.         h3scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v3_module);

  453.         if (h3scf->enable && h3scf->enable_hq) {
  454.             srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO
  455.                                     NGX_HTTP_V3_HQ_ALPN_PROTO;
  456.             srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO NGX_HTTP_V3_HQ_ALPN_PROTO)
  457.                      - 1;

  459.         } else if (h3scf->enable_hq) {
  460.             srv = (unsigned char *) NGX_HTTP_V3_HQ_ALPN_PROTO;
  461.             srvlen = sizeof(NGX_HTTP_V3_HQ_ALPN_PROTO) - 1;

  463.         } else if (h3scf->enable) {
  464.             srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO;
  465.             srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO) - 1;

  467.         } else {
  468.             return SSL_TLSEXT_ERR_ALERT_FATAL;
  469.         }

  471.     } else
  472. #endif
  473.     {
  474. #if (NGX_HTTP_V2)
  475.         h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module);

  477.         if (h2scf->enable || hc->addr_conf->http2) {
  478.             srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS;
  479.             srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS) - 1;

  481.         } else
  482. #endif
  483.         {
  484.             srv = (unsigned char *) NGX_HTTP_ALPN_PROTOS;
  485.             srvlen = sizeof(NGX_HTTP_ALPN_PROTOS) - 1;
  486.         }
  487.     }

  489.     if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen,
  490.                               in, inlen)
  491.         != OPENSSL_NPN_NEGOTIATED)
  492.     {
  493.         return SSL_TLSEXT_ERR_ALERT_FATAL;
  494.     }

  496.     ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
  497.                    "SSL ALPN selected: %*s", (size_t) *outlen, *out);

  499.     return SSL_TLSEXT_ERR_OK;
  500. }

  502. #endif


  505. static ngx_int_t
  506. ngx_http_ssl_static_variable(ngx_http_request_t *r,
  507.     ngx_http_variable_value_t *v, uintptr_t data)
  508. {
  509.     ngx_ssl_variable_handler_pt  handler = (ngx_ssl_variable_handler_pt) data;

  511.     size_t     len;
  512.     ngx_str_t  s;

  514.     if (r->connection->ssl) {

  516.         (void) handler(r->connection, NULL, &s);

  518.         v->data = s.data;

  520.         for (len = 0; v->data[len]; len++) { /* void */ }

  522.         v->len = len;
  523.         v->valid = 1;
  524.         v->no_cacheable = 0;
  525.         v->not_found = 0;

  527.         return NGX_OK;
  528.     }

  530.     v->not_found = 1;

  532.     return NGX_OK;
  533. }


  536. static ngx_int_t
  537. ngx_http_ssl_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v,
  538.     uintptr_t data)
  539. {
  540.     ngx_ssl_variable_handler_pt  handler = (ngx_ssl_variable_handler_pt) data;

  542.     ngx_str_t  s;

  544.     if (r->connection->ssl) {

  546.         if (handler(r->connection, r->pool, &s) != NGX_OK) {
  547.             return NGX_ERROR;
  548.         }

  550.         v->len = s.len;
  551.         v->data = s.data;

  553.         if (v->len) {
  554.             v->valid = 1;
  555.             v->no_cacheable = 0;
  556.             v->not_found = 0;

  558.             return NGX_OK;
  559.         }
  560.     }

  562.     v->not_found = 1;

  564.     return NGX_OK;
  565. }


  568. static ngx_int_t
  569. ngx_http_ssl_add_variables(ngx_conf_t *cf)
  570. {
  571.     ngx_http_variable_t  *var, *v;

  573.     for (v = ngx_http_ssl_vars; v->name.len; v++) {
  574.         var = ngx_http_add_variable(cf, &v->name, v->flags);
  575.         if (var == NULL) {
  576.             return NGX_ERROR;
  577.         }

  579.         var->get_handler = v->get_handler;
  580.         var->data = v->data;
  581.     }

  583.     return NGX_OK;
  584. }


  587. static void *
  588. ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
  589. {
  590.     ngx_http_ssl_srv_conf_t  *sscf;

  592.     sscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t));
  593.     if (sscf == NULL) {
  594.         return NULL;
  595.     }

  597.     /*
  598.      * set by ngx_pcalloc():
  599.      *
  600.      *     sscf->protocols = 0;
  601.      *     sscf->certificate_values = NULL;
  602.      *     sscf->dhparam = { 0, NULL };
  603.      *     sscf->ecdh_curve = { 0, NULL };
  604.      *     sscf->client_certificate = { 0, NULL };
  605.      *     sscf->trusted_certificate = { 0, NULL };
  606.      *     sscf->crl = { 0, NULL };
  607.      *     sscf->ciphers = { 0, NULL };
  608.      *     sscf->shm_zone = NULL;
  609.      *     sscf->ocsp_responder = { 0, NULL };
  610.      *     sscf->stapling_file = { 0, NULL };
  611.      *     sscf->stapling_responder = { 0, NULL };
  612.      */

  614.     sscf->prefer_server_ciphers = NGX_CONF_UNSET;
  615.     sscf->early_data = NGX_CONF_UNSET;
  616.     sscf->reject_handshake = NGX_CONF_UNSET;
  617.     sscf->buffer_size = NGX_CONF_UNSET_SIZE;
  618.     sscf->verify = NGX_CONF_UNSET_UINT;
  619.     sscf->verify_depth = NGX_CONF_UNSET_UINT;
  620.     sscf->certificates = NGX_CONF_UNSET_PTR;
  621.     sscf->certificate_keys = NGX_CONF_UNSET_PTR;
  622.     sscf->passwords = NGX_CONF_UNSET_PTR;
  623.     sscf->conf_commands = NGX_CONF_UNSET_PTR;
  624.     sscf->builtin_session_cache = NGX_CONF_UNSET;
  625.     sscf->session_timeout = NGX_CONF_UNSET;
  626.     sscf->session_tickets = NGX_CONF_UNSET;
  627.     sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
  628.     sscf->ocsp = NGX_CONF_UNSET_UINT;
  629.     sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR;
  630.     sscf->stapling = NGX_CONF_UNSET;
  631.     sscf->stapling_verify = NGX_CONF_UNSET;

  633.     return sscf;
  634. }


  637. static char *
  638. ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
  639. {
  640.     ngx_http_ssl_srv_conf_t *prev = parent;
  641.     ngx_http_ssl_srv_conf_t *conf = child;

  643.     ngx_pool_cleanup_t  *cln;

  645.     ngx_conf_merge_value(conf->session_timeout,
  646.                          prev->session_timeout, 300);

  648.     ngx_conf_merge_value(conf->prefer_server_ciphers,
  649.                          prev->prefer_server_ciphers, 0);

  651.     ngx_conf_merge_value(conf->early_data, prev->early_data, 0);
  652.     ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);

  654.     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
  655.                          (NGX_CONF_BITMASK_SET|NGX_SSL_DEFAULT_PROTOCOLS));

  657.     ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
  658.                          NGX_SSL_BUFSIZE);

  660.     ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
  661.     ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);

  663.     ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
  664.     ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
  665.                          NULL);

  667.     ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);

  669.     ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");

  671.     ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
  672.                          "");
  673.     ngx_conf_merge_str_value(conf->trusted_certificate,
  674.                          prev->trusted_certificate, "");
  675.     ngx_conf_merge_str_value(conf->crl, prev->crl, "");

  677.     ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
  678.                          NGX_DEFAULT_ECDH_CURVE);

  680.     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);

  682.     ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);

  684.     ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0);
  685.     ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, "");
  686.     ngx_conf_merge_ptr_value(conf->ocsp_cache_zone,
  687.                          prev->ocsp_cache_zone, NULL);

  689.     ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
  690.     ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
  691.     ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
  692.     ngx_conf_merge_str_value(conf->stapling_responder,
  693.                          prev->stapling_responder, "");

  695.     conf->ssl.log = cf->log;

  697.     if (conf->certificates) {

  699.         if (conf->certificate_keys == NULL
  700.             || conf->certificate_keys->nelts < conf->certificates->nelts)
  701.         {
  702.             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  703.                           "no \"ssl_certificate_key\" is defined "
  704.                           "for certificate \"%V\"",
  705.                           ((ngx_str_t *) conf->certificates->elts)
  706.                           + conf->certificates->nelts - 1);
  707.             return NGX_CONF_ERROR;
  708.         }

  710.     } else if (!conf->reject_handshake) {
  711.         return NGX_CONF_OK;
  712.     }

  714.     if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
  715.         return NGX_CONF_ERROR;
  716.     }

  718.     cln = ngx_pool_cleanup_add(cf->pool, 0);
  719.     if (cln == NULL) {
  720.         ngx_ssl_cleanup_ctx(&conf->ssl);
  721.         return NGX_CONF_ERROR;
  722.     }

  724.     cln->handler = ngx_ssl_cleanup_ctx;
  725.     cln->data = &conf->ssl;

  727. #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME

  729.     if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
  730.                                                ngx_http_ssl_servername)
  731.         == 0)
  732.     {
  733.         ngx_log_error(NGX_LOG_WARN, cf->log, 0,
  734.             "nginx was built with SNI support, however, now it is linked "
  735.             "dynamically to an OpenSSL library which has no tlsext support, "
  736.             "therefore SNI is not available");
  737.     }

  739. #endif

  741. #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
  742.     SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL);
  743. #endif

  745.     if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
  746.                         conf->prefer_server_ciphers)
  747.         != NGX_OK)
  748.     {
  749.         return NGX_CONF_ERROR;
  750.     }

  752.     if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) {
  753.         return NGX_CONF_ERROR;
  754.     }

  756.     if (conf->certificate_values) {

  758. #ifdef SSL_R_CERT_CB_ERROR

  760.         /* install callback to lookup certificates */

  762.         SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_http_ssl_certificate, conf);

  764. #else
  765.         ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  766.                       "variables in "
  767.                       "\"ssl_certificate\" and \"ssl_certificate_key\" "
  768.                       "directives are not supported on this platform");
  769.         return NGX_CONF_ERROR;
  770. #endif

  772.     } else if (conf->certificates) {

  774.         /* configure certificates */

  776.         if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
  777.                                  conf->certificate_keys, conf->passwords)
  778.             != NGX_OK)
  779.         {
  780.             return NGX_CONF_ERROR;
  781.         }
  782.     }

  784.     conf->ssl.buffer_size = conf->buffer_size;

  786.     if (conf->verify) {

  788.         if (conf->verify != 3
  789.             && conf->client_certificate.len == 0
  790.             && conf->trusted_certificate.len == 0)
  791.         {
  792.             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  793.                           "no ssl_client_certificate or "
  794.                           "ssl_trusted_certificate for ssl_verify_client");
  795.             return NGX_CONF_ERROR;
  796.         }

  798.         if (ngx_ssl_client_certificate(cf, &conf->ssl,
  799.                                        &conf->client_certificate,
  800.                                        conf->verify_depth)
  801.             != NGX_OK)
  802.         {
  803.             return NGX_CONF_ERROR;
  804.         }
  805.     }

  807.     if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
  808.                                     &conf->trusted_certificate,
  809.                                     conf->verify_depth)
  810.         != NGX_OK)
  811.     {
  812.         return NGX_CONF_ERROR;
  813.     }

  815.     if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
  816.         return NGX_CONF_ERROR;
  817.     }

  819.     if (conf->ocsp) {

  821.         if (conf->verify == 3) {
  822.             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  823.                           "\"ssl_ocsp\" is incompatible with "
  824.                           "\"ssl_verify_client optional_no_ca\"");
  825.             return NGX_CONF_ERROR;
  826.         }

  828.         if (ngx_ssl_ocsp(cf, &conf->ssl, &conf->ocsp_responder, conf->ocsp,
  829.                          conf->ocsp_cache_zone)
  830.             != NGX_OK)
  831.         {
  832.             return NGX_CONF_ERROR;
  833.         }
  834.     }

  836.     if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
  837.         return NGX_CONF_ERROR;
  838.     }

  840.     if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
  841.         return NGX_CONF_ERROR;
  842.     }

  844.     ngx_conf_merge_value(conf->builtin_session_cache,
  845.                          prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);

  847.     if (conf->shm_zone == NULL) {
  848.         conf->shm_zone = prev->shm_zone;
  849.     }

  851.     if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx,
  852.                               conf->certificates, conf->builtin_session_cache,
  853.                               conf->shm_zone, conf->session_timeout)
  854.         != NGX_OK)
  855.     {
  856.         return NGX_CONF_ERROR;
  857.     }

  859.     ngx_conf_merge_value(conf->session_tickets, prev->session_tickets, 1);

  861. #ifdef SSL_OP_NO_TICKET
  862.     if (!conf->session_tickets) {
  863.         SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
  864.     }
  865. #endif

  867.     ngx_conf_merge_ptr_value(conf->session_ticket_keys,
  868.                          prev->session_ticket_keys, NULL);

  870.     if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys)
  871.         != NGX_OK)
  872.     {
  873.         return NGX_CONF_ERROR;
  874.     }

  876.     if (conf->stapling) {

  878.         if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
  879.                              &conf->stapling_responder, conf->stapling_verify)
  880.             != NGX_OK)
  881.         {
  882.             return NGX_CONF_ERROR;
  883.         }

  885.     }

  887.     if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) {
  888.         return NGX_CONF_ERROR;
  889.     }

  891.     if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
  892.         return NGX_CONF_ERROR;
  893.     }

  895.     return NGX_CONF_OK;
  896. }


  899. static ngx_int_t
  900. ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
  901.     ngx_http_ssl_srv_conf_t *conf)
  902. {
  903.     ngx_str_t                         *cert, *key;
  904.     ngx_uint_t                         i, nelts;
  905.     ngx_http_complex_value_t          *cv;
  906.     ngx_http_compile_complex_value_t   ccv;

  908.     if (conf->certificates == NULL) {
  909.         return NGX_OK;
  910.     }

  912.     cert = conf->certificates->elts;
  913.     key = conf->certificate_keys->elts;
  914.     nelts = conf->certificates->nelts;

  916.     for (i = 0; i < nelts; i++) {

  918.         if (ngx_http_script_variables_count(&cert[i])) {
  919.             goto found;
  920.         }

  922.         if (ngx_http_script_variables_count(&key[i])) {
  923.             goto found;
  924.         }
  925.     }

  927.     return NGX_OK;

  929. found:

  931.     conf->certificate_values = ngx_array_create(cf->pool, nelts,
  932.                                              sizeof(ngx_http_complex_value_t));
  933.     if (conf->certificate_values == NULL) {
  934.         return NGX_ERROR;
  935.     }

  937.     conf->certificate_key_values = ngx_array_create(cf->pool, nelts,
  938.                                              sizeof(ngx_http_complex_value_t));
  939.     if (conf->certificate_key_values == NULL) {
  940.         return NGX_ERROR;
  941.     }

  943.     for (i = 0; i < nelts; i++) {

  945.         cv = ngx_array_push(conf->certificate_values);
  946.         if (cv == NULL) {
  947.             return NGX_ERROR;
  948.         }

  950.         ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));

  952.         ccv.cf = cf;
  953.         ccv.value = &cert[i];
  954.         ccv.complex_value = cv;
  955.         ccv.zero = 1;

  957.         if (ngx_http_compile_complex_value(&ccv) != NGX_OK) {
  958.             return NGX_ERROR;
  959.         }

  961.         cv = ngx_array_push(conf->certificate_key_values);
  962.         if (cv == NULL) {
  963.             return NGX_ERROR;
  964.         }

  966.         ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));

  968.         ccv.cf = cf;
  969.         ccv.value = &key[i];
  970.         ccv.complex_value = cv;
  971.         ccv.zero = 1;

  973.         if (ngx_http_compile_complex_value(&ccv) != NGX_OK) {
  974.             return NGX_ERROR;
  975.         }
  976.     }

  978.     conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords);
  979.     if (conf->passwords == NULL) {
  980.         return NGX_ERROR;
  981.     }

  983.     return NGX_OK;
  984. }


  987. static char *
  988. ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
  989. {
  990.     ngx_http_ssl_srv_conf_t *sscf = conf;

  992.     ngx_str_t  *value;

  994.     if (sscf->passwords != NGX_CONF_UNSET_PTR) {
  995.         return "is duplicate";
  996.     }

  998.     value = cf->args->elts;

  1000.     sscf->passwords = ngx_ssl_read_password_file(cf, &value[1]);

  1002.     if (sscf->passwords == NULL) {
  1003.         return NGX_CONF_ERROR;
  1004.     }

  1006.     return NGX_CONF_OK;
  1007. }


  1010. static char *
  1011. ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
  1012. {
  1013.     ngx_http_ssl_srv_conf_t *sscf = conf;

  1015.     size_t       len;
  1016.     ngx_str_t   *value, name, size;
  1017.     ngx_int_t    n;
  1018.     ngx_uint_t   i, j;

  1020.     value = cf->args->elts;

  1022.     for (i = 1; i < cf->args->nelts; i++) {

  1024.         if (ngx_strcmp(value[i].data, "off") == 0) {
  1025.             sscf->builtin_session_cache = NGX_SSL_NO_SCACHE;
  1026.             continue;
  1027.         }

  1029.         if (ngx_strcmp(value[i].data, "none") == 0) {
  1030.             sscf->builtin_session_cache = NGX_SSL_NONE_SCACHE;
  1031.             continue;
  1032.         }

  1034.         if (ngx_strcmp(value[i].data, "builtin") == 0) {
  1035.             sscf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE;
  1036.             continue;
  1037.         }

  1039.         if (value[i].len > sizeof("builtin:") - 1
  1040.             && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1)
  1041.                == 0)
  1042.         {
  1043.             n = ngx_atoi(value[i].data + sizeof("builtin:") - 1,
  1044.                          value[i].len - (sizeof("builtin:") - 1));

  1046.             if (n == NGX_ERROR) {
  1047.                 goto invalid;
  1048.             }

  1050.             sscf->builtin_session_cache = n;

  1052.             continue;
  1053.         }

  1055.         if (value[i].len > sizeof("shared:") - 1
  1056.             && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1)
  1057.                == 0)
  1058.         {
  1059.             len = 0;

  1061.             for (j = sizeof("shared:") - 1; j < value[i].len; j++) {
  1062.                 if (value[i].data[j] == ':') {
  1063.                     break;
  1064.                 }

  1066.                 len++;
  1067.             }

  1069.             if (len == 0 || j == value[i].len) {
  1070.                 goto invalid;
  1071.             }

  1073.             name.len = len;
  1074.             name.data = value[i].data + sizeof("shared:") - 1;

  1076.             size.len = value[i].len - j - 1;
  1077.             size.data = name.data + len + 1;

  1079.             n = ngx_parse_size(&size);

  1081.             if (n == NGX_ERROR) {
  1082.                 goto invalid;
  1083.             }

  1085.             if (n < (ngx_int_t) (8 * ngx_pagesize)) {
  1086.                 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
  1087.                                    "session cache \"%V\" is too small",
  1088.                                    &value[i]);

  1090.                 return NGX_CONF_ERROR;
  1091.             }

  1093.             sscf->shm_zone = ngx_shared_memory_add(cf, &name, n,
  1094.                                                    &ngx_http_ssl_module);
  1095.             if (sscf->shm_zone == NULL) {
  1096.                 return NGX_CONF_ERROR;
  1097.             }

  1099.             sscf->shm_zone->init = ngx_ssl_session_cache_init;

  1101.             continue;
  1102.         }

  1104.         goto invalid;
  1105.     }

  1107.     if (sscf->shm_zone && sscf->builtin_session_cache == NGX_CONF_UNSET) {
  1108.         sscf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE;
  1109.     }

  1111.     return NGX_CONF_OK;

  1113. invalid:

  1115.     ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
  1116.                        "invalid session cache \"%V\"", &value[i]);

  1118.     return NGX_CONF_ERROR;
  1119. }


  1122. static char *
  1123. ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
  1124. {
  1125.     ngx_http_ssl_srv_conf_t *sscf = conf;

  1127.     size_t       len;
  1128.     ngx_int_t    n;
  1129.     ngx_str_t   *value, name, size;
  1130.     ngx_uint_t   j;

  1132.     if (sscf->ocsp_cache_zone != NGX_CONF_UNSET_PTR) {
  1133.         return "is duplicate";
  1134.     }

  1136.     value = cf->args->elts;

  1138.     if (ngx_strcmp(value[1].data, "off") == 0) {
  1139.         sscf->ocsp_cache_zone = NULL;
  1140.         return NGX_CONF_OK;
  1141.     }

  1143.     if (value[1].len <= sizeof("shared:") - 1
  1144.         || ngx_strncmp(value[1].data, "shared:", sizeof("shared:") - 1) != 0)
  1145.     {
  1146.         goto invalid;
  1147.     }

  1149.     len = 0;

  1151.     for (j = sizeof("shared:") - 1; j < value[1].len; j++) {
  1152.         if (value[1].data[j] == ':') {
  1153.             break;
  1154.         }

  1156.         len++;
  1157.     }

  1159.     if (len == 0 || j == value[1].len) {
  1160.         goto invalid;
  1161.     }

  1163.     name.len = len;
  1164.     name.data = value[1].data + sizeof("shared:") - 1;

  1166.     size.len = value[1].len - j - 1;
  1167.     size.data = name.data + len + 1;

  1169.     n = ngx_parse_size(&size);

  1171.     if (n == NGX_ERROR) {
  1172.         goto invalid;
  1173.     }

  1175.     if (n < (ngx_int_t) (8 * ngx_pagesize)) {
  1176.         ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
  1177.                            "OCSP cache \"%V\" is too small", &value[1]);

  1179.         return NGX_CONF_ERROR;
  1180.     }

  1182.     sscf->ocsp_cache_zone = ngx_shared_memory_add(cf, &name, n,
  1183.                                                   &ngx_http_ssl_module_ctx);
  1184.     if (sscf->ocsp_cache_zone == NULL) {
  1185.         return NGX_CONF_ERROR;
  1186.     }

  1188.     sscf->ocsp_cache_zone->init = ngx_ssl_ocsp_cache_init;

  1190.     return NGX_CONF_OK;

  1192. invalid:

  1194.     ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
  1195.                        "invalid OCSP cache \"%V\"", &value[1]);

  1197.     return NGX_CONF_ERROR;
  1198. }


  1201. static char *
  1202. ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
  1203. {
  1204. #ifndef SSL_CONF_FLAG_FILE
  1205.     return "is not supported on this platform";
  1206. #else
  1207.     return NGX_CONF_OK;
  1208. #endif
  1209. }


  1212. static ngx_int_t
  1213. ngx_http_ssl_init(ngx_conf_t *cf)
  1214. {
  1215.     ngx_uint_t                   a, p, s;
  1216.     const char                  *name;
  1217.     ngx_http_conf_addr_t        *addr;
  1218.     ngx_http_conf_port_t        *port;
  1219.     ngx_http_ssl_srv_conf_t     *sscf;
  1220.     ngx_http_core_loc_conf_t    *clcf;
  1221.     ngx_http_core_srv_conf_t   **cscfp, *cscf;
  1222.     ngx_http_core_main_conf_t   *cmcf;

  1224.     cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
  1225.     cscfp = cmcf->servers.elts;

  1227.     for (s = 0; s < cmcf->servers.nelts; s++) {

  1229.         sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index];

  1231.         if (sscf->ssl.ctx == NULL) {
  1232.             continue;
  1233.         }

  1235.         clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index];

  1237.         if (sscf->stapling) {
  1238.             if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver,
  1239.                                           clcf->resolver_timeout)
  1240.                 != NGX_OK)
  1241.             {
  1242.                 return NGX_ERROR;
  1243.             }
  1244.         }

  1246.         if (sscf->ocsp) {
  1247.             if (ngx_ssl_ocsp_resolver(cf, &sscf->ssl, clcf->resolver,
  1248.                                       clcf->resolver_timeout)
  1249.                 != NGX_OK)
  1250.             {
  1251.                 return NGX_ERROR;
  1252.             }
  1253.         }
  1254.     }

  1256.     if (cmcf->ports == NULL) {
  1257.         return NGX_OK;
  1258.     }

  1260.     port = cmcf->ports->elts;
  1261.     for (p = 0; p < cmcf->ports->nelts; p++) {

  1263.         addr = port[p].addrs.elts;
  1264.         for (a = 0; a < port[p].addrs.nelts; a++) {

  1266.             if (!addr[a].opt.ssl && !addr[a].opt.quic) {
  1267.                 continue;
  1268.             }

  1270.             if (addr[a].opt.quic) {
  1271.                 name = "quic";

  1273. #if (NGX_QUIC_OPENSSL_COMPAT)
  1274.                 if (ngx_http_ssl_quic_compat_init(cf, &addr[a]) != NGX_OK) {
  1275.                     return NGX_ERROR;
  1276.                 }
  1277. #endif

  1279.             } else {
  1280.                 name = "ssl";
  1281.             }

  1283.             cscf = addr[a].default_server;
  1284.             sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];

  1286.             if (sscf->certificates) {

  1288.                 if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) {
  1289.                     ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  1290.                                   "\"ssl_protocols\" must enable TLSv1.3 for "
  1291.                                   "the \"listen ... %s\" directive in %s:%ui",
  1292.                                   name, cscf->file_name, cscf->line);
  1293.                     return NGX_ERROR;
  1294.                 }

  1296.                 continue;
  1297.             }

  1299.             if (!sscf->reject_handshake) {
  1300.                 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  1301.                               "no \"ssl_certificate\" is defined for "
  1302.                               "the \"listen ... %s\" directive in %s:%ui",
  1303.                               name, cscf->file_name, cscf->line);
  1304.                 return NGX_ERROR;
  1305.             }

  1307.             /*
  1308.              * if no certificates are defined in the default server,
  1309.              * check all non-default server blocks
  1310.              */

  1312.             cscfp = addr[a].servers.elts;
  1313.             for (s = 0; s < addr[a].servers.nelts; s++) {

  1315.                 cscf = cscfp[s];
  1316.                 sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];

  1318.                 if (sscf->certificates || sscf->reject_handshake) {
  1319.                     continue;
  1320.                 }

  1322.                 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  1323.                               "no \"ssl_certificate\" is defined for "
  1324.                               "the \"listen ... %s\" directive in %s:%ui",
  1325.                               name, cscf->file_name, cscf->line);
  1326.                 return NGX_ERROR;
  1327.             }
  1328.         }
  1329.     }

  1331.     return NGX_OK;
  1332. }


  1335. #if (NGX_QUIC_OPENSSL_COMPAT)

  1337. static ngx_int_t
  1338. ngx_http_ssl_quic_compat_init(ngx_conf_t *cf, ngx_http_conf_addr_t *addr)
  1339. {
  1340.     ngx_uint_t                  s;
  1341.     ngx_http_ssl_srv_conf_t    *sscf;
  1342.     ngx_http_core_srv_conf_t  **cscfp, *cscf;

  1344.     cscfp = addr->servers.elts;
  1345.     for (s = 0; s < addr->servers.nelts; s++) {

  1347.         cscf = cscfp[s];
  1348.         sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];

  1350.         if (sscf->certificates || sscf->reject_handshake) {
  1351.             if (ngx_quic_compat_init(cf, sscf->ssl.ctx) != NGX_OK) {
  1352.                 return NGX_ERROR;
  1353.             }
  1354.         }
  1355.     }

  1357.     return NGX_OK;
  1358. }

  1360. #endif

One Level Up Top Level