One Level Up Top Level

src/mail/ngx_mail_ssl_module.c - nginx source code

Global variables defined

Functions defined

Macros defined

Source code


  2. /*
  3. * Copyright (C) Igor Sysoev
  4. * Copyright (C) Nginx, Inc.
  5. */


  8. #include <ngx_config.h>
  9. #include <ngx_core.h>
  10. #include <ngx_mail.h>


  13. #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
  14. #define NGX_DEFAULT_ECDH_CURVE  "auto"


  17. #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
  18. static int ngx_mail_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
  19.     const unsigned char **out, unsigned char *outlen,
  20.     const unsigned char *in, unsigned int inlen, void *arg);
  21. #endif

  23. static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf);
  24. static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child);

  26. static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd,
  27.     void *conf);
  28. static char *ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
  29.     void *conf);
  30. static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
  31.     void *conf);

  33. static char *ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post,
  34.     void *data);


  37. static ngx_conf_enum_t  ngx_mail_starttls_state[] = {
  38.     { ngx_string("off"), NGX_MAIL_STARTTLS_OFF },
  39.     { ngx_string("on"), NGX_MAIL_STARTTLS_ON },
  40.     { ngx_string("only"), NGX_MAIL_STARTTLS_ONLY },
  41.     { ngx_null_string, 0 }
  42. };



  46. static ngx_conf_bitmask_t  ngx_mail_ssl_protocols[] = {
  47.     { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
  48.     { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
  49.     { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
  50.     { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
  51.     { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
  52.     { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
  53.     { ngx_null_string, 0 }
  54. };


  57. static ngx_conf_enum_t  ngx_mail_ssl_verify[] = {
  58.     { ngx_string("off"), 0 },
  59.     { ngx_string("on"), 1 },
  60.     { ngx_string("optional"), 2 },
  61.     { ngx_string("optional_no_ca"), 3 },
  62.     { ngx_null_string, 0 }
  63. };


  66. static ngx_conf_post_t  ngx_mail_ssl_conf_command_post =
  67.     { ngx_mail_ssl_conf_command_check };


  70. static ngx_command_t  ngx_mail_ssl_commands[] = {

  72.     { ngx_string("starttls"),
  73.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  74.       ngx_mail_ssl_starttls,
  75.       NGX_MAIL_SRV_CONF_OFFSET,
  76.       offsetof(ngx_mail_ssl_conf_t, starttls),
  77.       ngx_mail_starttls_state },

  79.     { ngx_string("ssl_certificate"),
  80.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  81.       ngx_conf_set_str_array_slot,
  82.       NGX_MAIL_SRV_CONF_OFFSET,
  83.       offsetof(ngx_mail_ssl_conf_t, certificates),
  84.       NULL },

  86.     { ngx_string("ssl_certificate_key"),
  87.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  88.       ngx_conf_set_str_array_slot,
  89.       NGX_MAIL_SRV_CONF_OFFSET,
  90.       offsetof(ngx_mail_ssl_conf_t, certificate_keys),
  91.       NULL },

  93.     { ngx_string("ssl_password_file"),
  94.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  95.       ngx_mail_ssl_password_file,
  96.       NGX_MAIL_SRV_CONF_OFFSET,
  97.       0,
  98.       NULL },

  100.     { ngx_string("ssl_dhparam"),
  101.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  102.       ngx_conf_set_str_slot,
  103.       NGX_MAIL_SRV_CONF_OFFSET,
  104.       offsetof(ngx_mail_ssl_conf_t, dhparam),
  105.       NULL },

  107.     { ngx_string("ssl_ecdh_curve"),
  108.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  109.       ngx_conf_set_str_slot,
  110.       NGX_MAIL_SRV_CONF_OFFSET,
  111.       offsetof(ngx_mail_ssl_conf_t, ecdh_curve),
  112.       NULL },

  114.     { ngx_string("ssl_protocols"),
  115.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE,
  116.       ngx_conf_set_bitmask_slot,
  117.       NGX_MAIL_SRV_CONF_OFFSET,
  118.       offsetof(ngx_mail_ssl_conf_t, protocols),
  119.       &ngx_mail_ssl_protocols },

  121.     { ngx_string("ssl_ciphers"),
  122.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  123.       ngx_conf_set_str_slot,
  124.       NGX_MAIL_SRV_CONF_OFFSET,
  125.       offsetof(ngx_mail_ssl_conf_t, ciphers),
  126.       NULL },

  128.     { ngx_string("ssl_prefer_server_ciphers"),
  129.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
  130.       ngx_conf_set_flag_slot,
  131.       NGX_MAIL_SRV_CONF_OFFSET,
  132.       offsetof(ngx_mail_ssl_conf_t, prefer_server_ciphers),
  133.       NULL },

  135.     { ngx_string("ssl_session_cache"),
  136.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12,
  137.       ngx_mail_ssl_session_cache,
  138.       NGX_MAIL_SRV_CONF_OFFSET,
  139.       0,
  140.       NULL },

  142.     { ngx_string("ssl_session_tickets"),
  143.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
  144.       ngx_conf_set_flag_slot,
  145.       NGX_MAIL_SRV_CONF_OFFSET,
  146.       offsetof(ngx_mail_ssl_conf_t, session_tickets),
  147.       NULL },

  149.     { ngx_string("ssl_session_ticket_key"),
  150.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  151.       ngx_conf_set_str_array_slot,
  152.       NGX_MAIL_SRV_CONF_OFFSET,
  153.       offsetof(ngx_mail_ssl_conf_t, session_ticket_keys),
  154.       NULL },

  156.     { ngx_string("ssl_session_timeout"),
  157.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  158.       ngx_conf_set_sec_slot,
  159.       NGX_MAIL_SRV_CONF_OFFSET,
  160.       offsetof(ngx_mail_ssl_conf_t, session_timeout),
  161.       NULL },

  163.     { ngx_string("ssl_verify_client"),
  164.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  165.       ngx_conf_set_enum_slot,
  166.       NGX_MAIL_SRV_CONF_OFFSET,
  167.       offsetof(ngx_mail_ssl_conf_t, verify),
  168.       &ngx_mail_ssl_verify },

  170.     { ngx_string("ssl_verify_depth"),
  171.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  172.       ngx_conf_set_num_slot,
  173.       NGX_MAIL_SRV_CONF_OFFSET,
  174.       offsetof(ngx_mail_ssl_conf_t, verify_depth),
  175.       NULL },

  177.     { ngx_string("ssl_client_certificate"),
  178.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  179.       ngx_conf_set_str_slot,
  180.       NGX_MAIL_SRV_CONF_OFFSET,
  181.       offsetof(ngx_mail_ssl_conf_t, client_certificate),
  182.       NULL },

  184.     { ngx_string("ssl_trusted_certificate"),
  185.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  186.       ngx_conf_set_str_slot,
  187.       NGX_MAIL_SRV_CONF_OFFSET,
  188.       offsetof(ngx_mail_ssl_conf_t, trusted_certificate),
  189.       NULL },

  191.     { ngx_string("ssl_crl"),
  192.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  193.       ngx_conf_set_str_slot,
  194.       NGX_MAIL_SRV_CONF_OFFSET,
  195.       offsetof(ngx_mail_ssl_conf_t, crl),
  196.       NULL },

  198.     { ngx_string("ssl_conf_command"),
  199.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE2,
  200.       ngx_conf_set_keyval_slot,
  201.       NGX_MAIL_SRV_CONF_OFFSET,
  202.       offsetof(ngx_mail_ssl_conf_t, conf_commands),
  203.       &ngx_mail_ssl_conf_command_post },

  205.       ngx_null_command
  206. };


  209. static ngx_mail_module_t  ngx_mail_ssl_module_ctx = {
  210.     NULL,                                  /* protocol */

  212.     NULL,                                  /* create main configuration */
  213.     NULL,                                  /* init main configuration */

  215.     ngx_mail_ssl_create_conf,              /* create server configuration */
  216.     ngx_mail_ssl_merge_conf                /* merge server configuration */
  217. };


  220. ngx_module_t  ngx_mail_ssl_module = {
  221.     NGX_MODULE_V1,
  222.     &ngx_mail_ssl_module_ctx,              /* module context */
  223.     ngx_mail_ssl_commands,                 /* module directives */
  224.     NGX_MAIL_MODULE,                       /* module type */
  225.     NULL,                                  /* init master */
  226.     NULL,                                  /* init module */
  227.     NULL,                                  /* init process */
  228.     NULL,                                  /* init thread */
  229.     NULL,                                  /* exit thread */
  230.     NULL,                                  /* exit process */
  231.     NULL,                                  /* exit master */
  232.     NGX_MODULE_V1_PADDING
  233. };


  236. static ngx_str_t ngx_mail_ssl_sess_id_ctx = ngx_string("MAIL");


  239. #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation

  241. static int
  242. ngx_mail_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out,
  243.     unsigned char *outlen, const unsigned char *in, unsigned int inlen,
  244.     void *arg)
  245. {
  246.     unsigned int               srvlen;
  247.     unsigned char             *srv;
  248.     ngx_connection_t          *c;
  249.     ngx_mail_session_t        *s;
  250.     ngx_mail_core_srv_conf_t  *cscf;
  251. #if (NGX_DEBUG)
  252.     unsigned int               i;
  253. #endif

  255.     c = ngx_ssl_get_connection(ssl_conn);
  256.     s = c->data;

  258. #if (NGX_DEBUG)
  259.     for (i = 0; i < inlen; i += in[i] + 1) {
  260.         ngx_log_debug2(NGX_LOG_DEBUG_MAIL, c->log, 0,
  261.                        "SSL ALPN supported by client: %*s",
  262.                        (size_t) in[i], &in[i + 1]);
  263.     }
  264. #endif

  266.     cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module);

  268.     srv = cscf->protocol->alpn.data;
  269.     srvlen = cscf->protocol->alpn.len;

  271.     if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen,
  272.                               in, inlen)
  273.         != OPENSSL_NPN_NEGOTIATED)
  274.     {
  275.         return SSL_TLSEXT_ERR_ALERT_FATAL;
  276.     }

  278.     ngx_log_debug2(NGX_LOG_DEBUG_MAIL, c->log, 0,
  279.                    "SSL ALPN selected: %*s", (size_t) *outlen, *out);

  281.     return SSL_TLSEXT_ERR_OK;
  282. }

  284. #endif


  287. static void *
  288. ngx_mail_ssl_create_conf(ngx_conf_t *cf)
  289. {
  290.     ngx_mail_ssl_conf_t  *scf;

  292.     scf = ngx_pcalloc(cf->pool, sizeof(ngx_mail_ssl_conf_t));
  293.     if (scf == NULL) {
  294.         return NULL;
  295.     }

  297.     /*
  298.      * set by ngx_pcalloc():
  299.      *
  300.      *     scf->listen = 0;
  301.      *     scf->protocols = 0;
  302.      *     scf->dhparam = { 0, NULL };
  303.      *     scf->ecdh_curve = { 0, NULL };
  304.      *     scf->client_certificate = { 0, NULL };
  305.      *     scf->trusted_certificate = { 0, NULL };
  306.      *     scf->crl = { 0, NULL };
  307.      *     scf->ciphers = { 0, NULL };
  308.      *     scf->shm_zone = NULL;
  309.      */

  311.     scf->starttls = NGX_CONF_UNSET_UINT;
  312.     scf->certificates = NGX_CONF_UNSET_PTR;
  313.     scf->certificate_keys = NGX_CONF_UNSET_PTR;
  314.     scf->passwords = NGX_CONF_UNSET_PTR;
  315.     scf->conf_commands = NGX_CONF_UNSET_PTR;
  316.     scf->prefer_server_ciphers = NGX_CONF_UNSET;
  317.     scf->verify = NGX_CONF_UNSET_UINT;
  318.     scf->verify_depth = NGX_CONF_UNSET_UINT;
  319.     scf->builtin_session_cache = NGX_CONF_UNSET;
  320.     scf->session_timeout = NGX_CONF_UNSET;
  321.     scf->session_tickets = NGX_CONF_UNSET;
  322.     scf->session_ticket_keys = NGX_CONF_UNSET_PTR;

  324.     return scf;
  325. }


  328. static char *
  329. ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
  330. {
  331.     ngx_mail_ssl_conf_t *prev = parent;
  332.     ngx_mail_ssl_conf_t *conf = child;

  334.     char                *mode;
  335.     ngx_pool_cleanup_t  *cln;

  337.     ngx_conf_merge_uint_value(conf->starttls, prev->starttls,
  338.                          NGX_MAIL_STARTTLS_OFF);

  340.     ngx_conf_merge_value(conf->session_timeout,
  341.                          prev->session_timeout, 300);

  343.     ngx_conf_merge_value(conf->prefer_server_ciphers,
  344.                          prev->prefer_server_ciphers, 0);

  346.     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
  347.                          (NGX_CONF_BITMASK_SET|NGX_SSL_DEFAULT_PROTOCOLS));

  349.     ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
  350.     ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);

  352.     ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
  353.     ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
  354.                          NULL);

  356.     ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);

  358.     ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");

  360.     ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
  361.                          NGX_DEFAULT_ECDH_CURVE);

  363.     ngx_conf_merge_str_value(conf->client_certificate,
  364.                          prev->client_certificate, "");
  365.     ngx_conf_merge_str_value(conf->trusted_certificate,
  366.                          prev->trusted_certificate, "");
  367.     ngx_conf_merge_str_value(conf->crl, prev->crl, "");

  369.     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);

  371.     ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);


  374.     conf->ssl.log = cf->log;

  376.     if (conf->listen) {
  377.         mode = "listen ... ssl";

  379.     } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) {
  380.         mode = "starttls";

  382.     } else {
  383.         return NGX_CONF_OK;
  384.     }

  386.     if (conf->file == NULL) {
  387.         conf->file = prev->file;
  388.         conf->line = prev->line;
  389.     }

  391.     if (conf->certificates == NULL) {
  392.         ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  393.                       "no \"ssl_certificate\" is defined for "
  394.                       "the \"%s\" directive in %s:%ui",
  395.                       mode, conf->file, conf->line);
  396.         return NGX_CONF_ERROR;
  397.     }

  399.     if (conf->certificate_keys == NULL) {
  400.         ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  401.                       "no \"ssl_certificate_key\" is defined for "
  402.                       "the \"%s\" directive in %s:%ui",
  403.                       mode, conf->file, conf->line);
  404.         return NGX_CONF_ERROR;
  405.     }

  407.     if (conf->certificate_keys->nelts < conf->certificates->nelts) {
  408.         ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  409.                       "no \"ssl_certificate_key\" is defined "
  410.                       "for certificate \"%V\" and "
  411.                       "the \"%s\" directive in %s:%ui",
  412.                       ((ngx_str_t *) conf->certificates->elts)
  413.                       + conf->certificates->nelts - 1,
  414.                       mode, conf->file, conf->line);
  415.         return NGX_CONF_ERROR;
  416.     }

  418.     if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) {
  419.         return NGX_CONF_ERROR;
  420.     }

  422.     cln = ngx_pool_cleanup_add(cf->pool, 0);
  423.     if (cln == NULL) {
  424.         ngx_ssl_cleanup_ctx(&conf->ssl);
  425.         return NGX_CONF_ERROR;
  426.     }

  428.     cln->handler = ngx_ssl_cleanup_ctx;
  429.     cln->data = &conf->ssl;

  431. #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
  432.     SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_mail_ssl_alpn_select, NULL);
  433. #endif

  435.     if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
  436.                         conf->prefer_server_ciphers)
  437.         != NGX_OK)
  438.     {
  439.         return NGX_CONF_ERROR;
  440.     }

  442.     if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
  443.                              conf->certificate_keys, conf->passwords)
  444.         != NGX_OK)
  445.     {
  446.         return NGX_CONF_ERROR;
  447.     }

  449.     if (conf->verify) {

  451.         if (conf->verify != 3
  452.             && conf->client_certificate.len == 0
  453.             && conf->trusted_certificate.len == 0)
  454.         {
  455.             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  456.                           "no ssl_client_certificate or "
  457.                           "ssl_trusted_certificate for ssl_verify_client");
  458.             return NGX_CONF_ERROR;
  459.         }

  461.         if (ngx_ssl_client_certificate(cf, &conf->ssl,
  462.                                        &conf->client_certificate,
  463.                                        conf->verify_depth)
  464.             != NGX_OK)
  465.         {
  466.             return NGX_CONF_ERROR;
  467.         }

  469.         if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
  470.                                         &conf->trusted_certificate,
  471.                                         conf->verify_depth)
  472.             != NGX_OK)
  473.         {
  474.             return NGX_CONF_ERROR;
  475.         }

  477.         if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
  478.             return NGX_CONF_ERROR;
  479.         }
  480.     }

  482.     if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
  483.         return NGX_CONF_ERROR;
  484.     }

  486.     if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
  487.         return NGX_CONF_ERROR;
  488.     }

  490.     ngx_conf_merge_value(conf->builtin_session_cache,
  491.                          prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);

  493.     if (conf->shm_zone == NULL) {
  494.         conf->shm_zone = prev->shm_zone;
  495.     }

  497.     if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx,
  498.                               conf->certificates, conf->builtin_session_cache,
  499.                               conf->shm_zone, conf->session_timeout)
  500.         != NGX_OK)
  501.     {
  502.         return NGX_CONF_ERROR;
  503.     }

  505.     ngx_conf_merge_value(conf->session_tickets,
  506.                          prev->session_tickets, 1);

  508. #ifdef SSL_OP_NO_TICKET
  509.     if (!conf->session_tickets) {
  510.         SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
  511.     }
  512. #endif

  514.     ngx_conf_merge_ptr_value(conf->session_ticket_keys,
  515.                          prev->session_ticket_keys, NULL);

  517.     if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys)
  518.         != NGX_OK)
  519.     {
  520.         return NGX_CONF_ERROR;
  521.     }

  523.     if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
  524.         return NGX_CONF_ERROR;
  525.     }

  527.     return NGX_CONF_OK;
  528. }


  531. static char *
  532. ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
  533. {
  534.     ngx_mail_ssl_conf_t  *scf = conf;

  536.     char  *rv;

  538.     rv = ngx_conf_set_enum_slot(cf, cmd, conf);

  540.     if (rv != NGX_CONF_OK) {
  541.         return rv;
  542.     }

  544.     if (!scf->listen) {
  545.         scf->file = cf->conf_file->file.name.data;
  546.         scf->line = cf->conf_file->line;
  547.     }

  549.     return NGX_CONF_OK;
  550. }


  553. static char *
  554. ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
  555. {
  556.     ngx_mail_ssl_conf_t  *scf = conf;

  558.     ngx_str_t  *value;

  560.     if (scf->passwords != NGX_CONF_UNSET_PTR) {
  561.         return "is duplicate";
  562.     }

  564.     value = cf->args->elts;

  566.     scf->passwords = ngx_ssl_read_password_file(cf, &value[1]);

  568.     if (scf->passwords == NULL) {
  569.         return NGX_CONF_ERROR;
  570.     }

  572.     return NGX_CONF_OK;
  573. }


  576. static char *
  577. ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
  578. {
  579.     ngx_mail_ssl_conf_t  *scf = conf;

  581.     size_t       len;
  582.     ngx_str_t   *value, name, size;
  583.     ngx_int_t    n;
  584.     ngx_uint_t   i, j;

  586.     value = cf->args->elts;

  588.     for (i = 1; i < cf->args->nelts; i++) {

  590.         if (ngx_strcmp(value[i].data, "off") == 0) {
  591.             scf->builtin_session_cache = NGX_SSL_NO_SCACHE;
  592.             continue;
  593.         }

  595.         if (ngx_strcmp(value[i].data, "none") == 0) {
  596.             scf->builtin_session_cache = NGX_SSL_NONE_SCACHE;
  597.             continue;
  598.         }

  600.         if (ngx_strcmp(value[i].data, "builtin") == 0) {
  601.             scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE;
  602.             continue;
  603.         }

  605.         if (value[i].len > sizeof("builtin:") - 1
  606.             && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1)
  607.                == 0)
  608.         {
  609.             n = ngx_atoi(value[i].data + sizeof("builtin:") - 1,
  610.                          value[i].len - (sizeof("builtin:") - 1));

  612.             if (n == NGX_ERROR) {
  613.                 goto invalid;
  614.             }

  616.             scf->builtin_session_cache = n;

  618.             continue;
  619.         }

  621.         if (value[i].len > sizeof("shared:") - 1
  622.             && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1)
  623.                == 0)
  624.         {
  625.             len = 0;

  627.             for (j = sizeof("shared:") - 1; j < value[i].len; j++) {
  628.                 if (value[i].data[j] == ':') {
  629.                     break;
  630.                 }

  632.                 len++;
  633.             }

  635.             if (len == 0 || j == value[i].len) {
  636.                 goto invalid;
  637.             }

  639.             name.len = len;
  640.             name.data = value[i].data + sizeof("shared:") - 1;

  642.             size.len = value[i].len - j - 1;
  643.             size.data = name.data + len + 1;

  645.             n = ngx_parse_size(&size);

  647.             if (n == NGX_ERROR) {
  648.                 goto invalid;
  649.             }

  651.             if (n < (ngx_int_t) (8 * ngx_pagesize)) {
  652.                 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
  653.                                    "session cache \"%V\" is too small",
  654.                                    &value[i]);

  656.                 return NGX_CONF_ERROR;
  657.             }

  659.             scf->shm_zone = ngx_shared_memory_add(cf, &name, n,
  660.                                                    &ngx_mail_ssl_module);
  661.             if (scf->shm_zone == NULL) {
  662.                 return NGX_CONF_ERROR;
  663.             }

  665.             scf->shm_zone->init = ngx_ssl_session_cache_init;

  667.             continue;
  668.         }

  670.         goto invalid;
  671.     }

  673.     if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) {
  674.         scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE;
  675.     }

  677.     return NGX_CONF_OK;

  679. invalid:

  681.     ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
  682.                        "invalid session cache \"%V\"", &value[i]);

  684.     return NGX_CONF_ERROR;
  685. }


  688. static char *
  689. ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
  690. {
  691. #ifndef SSL_CONF_FLAG_FILE
  692.     return "is not supported on this platform";
  693. #else
  694.     return NGX_CONF_OK;
  695. #endif
  696. }

One Level Up Top Level