One Level Up Top Level

src/mail/ngx_mail_ssl_module.c - nginx-1.31.3 nginx/ @ 42f8df65b

Global variables defined

Functions defined

Macros defined

Source code


  2. /*
  3. * Copyright (C) Igor Sysoev
  4. * Copyright (C) Nginx, Inc.
  5. */


  8. #include <ngx_config.h>
  9. #include <ngx_core.h>
  10. #include <ngx_mail.h>


  13. #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
  14. #define NGX_DEFAULT_ECDH_CURVE  "auto"


  17. #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
  18. static int ngx_mail_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
  19.     const unsigned char **out, unsigned char *outlen,
  20.     const unsigned char *in, unsigned int inlen, void *arg);
  21. #endif

  23. static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf);
  24. static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child);

  26. static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd,
  27.     void *conf);
  28. static char *ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
  29.     void *conf);
  30. static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
  31.     void *conf);

  33. static char *ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post,
  34.     void *data);


  37. static ngx_conf_enum_t  ngx_mail_starttls_state[] = {
  38.     { ngx_string("off"), NGX_MAIL_STARTTLS_OFF },
  39.     { ngx_string("on"), NGX_MAIL_STARTTLS_ON },
  40.     { ngx_string("only"), NGX_MAIL_STARTTLS_ONLY },
  41.     { ngx_null_string, 0 }
  42. };



  46. static ngx_conf_bitmask_t  ngx_mail_ssl_protocols[] = {
  47.     { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
  48.     { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
  49.     { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
  50.     { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
  51.     { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
  52.     { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
  53.     { ngx_null_string, 0 }
  54. };


  57. static ngx_conf_enum_t  ngx_mail_ssl_verify[] = {
  58.     { ngx_string("off"), 0 },
  59.     { ngx_string("on"), 1 },
  60.     { ngx_string("optional"), 2 },
  61.     { ngx_string("optional_no_ca"), 3 },
  62.     { ngx_null_string, 0 }
  63. };


  66. static ngx_conf_post_t  ngx_mail_ssl_conf_command_post =
  67.     { ngx_mail_ssl_conf_command_check };


  70. static ngx_command_t  ngx_mail_ssl_commands[] = {

  72.     { ngx_string("starttls"),
  73.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  74.       ngx_mail_ssl_starttls,
  75.       NGX_MAIL_SRV_CONF_OFFSET,
  76.       offsetof(ngx_mail_ssl_conf_t, starttls),
  77.       ngx_mail_starttls_state },

  79.     { ngx_string("ssl_certificate"),
  80.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  81.       ngx_conf_set_str_array_slot,
  82.       NGX_MAIL_SRV_CONF_OFFSET,
  83.       offsetof(ngx_mail_ssl_conf_t, certificates),
  84.       NULL },

  86.     { ngx_string("ssl_certificate_key"),
  87.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  88.       ngx_conf_set_str_array_slot,
  89.       NGX_MAIL_SRV_CONF_OFFSET,
  90.       offsetof(ngx_mail_ssl_conf_t, certificate_keys),
  91.       NULL },

  93.     { ngx_string("ssl_password_file"),
  94.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  95.       ngx_mail_ssl_password_file,
  96.       NGX_MAIL_SRV_CONF_OFFSET,
  97.       0,
  98.       NULL },

  100.     { ngx_string("ssl_certificate_compression"),
  101.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
  102.       ngx_conf_set_flag_slot,
  103.       NGX_MAIL_SRV_CONF_OFFSET,
  104.       offsetof(ngx_mail_ssl_conf_t, certificate_compression),
  105.       NULL },

  107.     { ngx_string("ssl_dhparam"),
  108.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  109.       ngx_conf_set_str_slot,
  110.       NGX_MAIL_SRV_CONF_OFFSET,
  111.       offsetof(ngx_mail_ssl_conf_t, dhparam),
  112.       NULL },

  114.     { ngx_string("ssl_ecdh_curve"),
  115.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  116.       ngx_conf_set_str_slot,
  117.       NGX_MAIL_SRV_CONF_OFFSET,
  118.       offsetof(ngx_mail_ssl_conf_t, ecdh_curve),
  119.       NULL },

  121.     { ngx_string("ssl_protocols"),
  122.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE,
  123.       ngx_conf_set_bitmask_slot,
  124.       NGX_MAIL_SRV_CONF_OFFSET,
  125.       offsetof(ngx_mail_ssl_conf_t, protocols),
  126.       &ngx_mail_ssl_protocols },

  128.     { ngx_string("ssl_ciphers"),
  129.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  130.       ngx_conf_set_str_slot,
  131.       NGX_MAIL_SRV_CONF_OFFSET,
  132.       offsetof(ngx_mail_ssl_conf_t, ciphers),
  133.       NULL },

  135.     { ngx_string("ssl_prefer_server_ciphers"),
  136.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
  137.       ngx_conf_set_flag_slot,
  138.       NGX_MAIL_SRV_CONF_OFFSET,
  139.       offsetof(ngx_mail_ssl_conf_t, prefer_server_ciphers),
  140.       NULL },

  142.     { ngx_string("ssl_session_cache"),
  143.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12,
  144.       ngx_mail_ssl_session_cache,
  145.       NGX_MAIL_SRV_CONF_OFFSET,
  146.       0,
  147.       NULL },

  149.     { ngx_string("ssl_session_tickets"),
  150.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
  151.       ngx_conf_set_flag_slot,
  152.       NGX_MAIL_SRV_CONF_OFFSET,
  153.       offsetof(ngx_mail_ssl_conf_t, session_tickets),
  154.       NULL },

  156.     { ngx_string("ssl_session_ticket_key"),
  157.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  158.       ngx_conf_set_str_array_slot,
  159.       NGX_MAIL_SRV_CONF_OFFSET,
  160.       offsetof(ngx_mail_ssl_conf_t, session_ticket_keys),
  161.       NULL },

  163.     { ngx_string("ssl_session_timeout"),
  164.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  165.       ngx_conf_set_sec_slot,
  166.       NGX_MAIL_SRV_CONF_OFFSET,
  167.       offsetof(ngx_mail_ssl_conf_t, session_timeout),
  168.       NULL },

  170.     { ngx_string("ssl_verify_client"),
  171.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  172.       ngx_conf_set_enum_slot,
  173.       NGX_MAIL_SRV_CONF_OFFSET,
  174.       offsetof(ngx_mail_ssl_conf_t, verify),
  175.       &ngx_mail_ssl_verify },

  177.     { ngx_string("ssl_verify_depth"),
  178.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  179.       ngx_conf_set_num_slot,
  180.       NGX_MAIL_SRV_CONF_OFFSET,
  181.       offsetof(ngx_mail_ssl_conf_t, verify_depth),
  182.       NULL },

  184.     { ngx_string("ssl_client_certificate"),
  185.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  186.       ngx_conf_set_str_slot,
  187.       NGX_MAIL_SRV_CONF_OFFSET,
  188.       offsetof(ngx_mail_ssl_conf_t, client_certificate),
  189.       NULL },

  191.     { ngx_string("ssl_trusted_certificate"),
  192.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  193.       ngx_conf_set_str_slot,
  194.       NGX_MAIL_SRV_CONF_OFFSET,
  195.       offsetof(ngx_mail_ssl_conf_t, trusted_certificate),
  196.       NULL },

  198.     { ngx_string("ssl_crl"),
  199.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  200.       ngx_conf_set_str_slot,
  201.       NGX_MAIL_SRV_CONF_OFFSET,
  202.       offsetof(ngx_mail_ssl_conf_t, crl),
  203.       NULL },

  205.     { ngx_string("ssl_conf_command"),
  206.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE2,
  207.       ngx_conf_set_keyval_slot,
  208.       NGX_MAIL_SRV_CONF_OFFSET,
  209.       offsetof(ngx_mail_ssl_conf_t, conf_commands),
  210.       &ngx_mail_ssl_conf_command_post },

  212.       ngx_null_command
  213. };


  216. static ngx_mail_module_t  ngx_mail_ssl_module_ctx = {
  217.     NULL,                                  /* protocol */

  219.     NULL,                                  /* create main configuration */
  220.     NULL,                                  /* init main configuration */

  222.     ngx_mail_ssl_create_conf,              /* create server configuration */
  223.     ngx_mail_ssl_merge_conf                /* merge server configuration */
  224. };


  227. ngx_module_t  ngx_mail_ssl_module = {
  228.     NGX_MODULE_V1,
  229.     &ngx_mail_ssl_module_ctx,              /* module context */
  230.     ngx_mail_ssl_commands,                 /* module directives */
  231.     NGX_MAIL_MODULE,                       /* module type */
  232.     NULL,                                  /* init master */
  233.     NULL,                                  /* init module */
  234.     NULL,                                  /* init process */
  235.     NULL,                                  /* init thread */
  236.     NULL,                                  /* exit thread */
  237.     NULL,                                  /* exit process */
  238.     NULL,                                  /* exit master */
  239.     NGX_MODULE_V1_PADDING
  240. };


  243. static ngx_str_t ngx_mail_ssl_sess_id_ctx = ngx_string("MAIL");


  246. #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation

  248. static int
  249. ngx_mail_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out,
  250.     unsigned char *outlen, const unsigned char *in, unsigned int inlen,
  251.     void *arg)
  252. {
  253.     unsigned int               srvlen;
  254.     unsigned char             *srv;
  255.     ngx_connection_t          *c;
  256.     ngx_mail_session_t        *s;
  257.     ngx_mail_core_srv_conf_t  *cscf;
  258. #if (NGX_DEBUG)
  259.     unsigned int               i;
  260. #endif

  262.     c = ngx_ssl_get_connection(ssl_conn);
  263.     s = c->data;

  265. #if (NGX_DEBUG)
  266.     for (i = 0; i < inlen; i += in[i] + 1) {
  267.         ngx_log_debug2(NGX_LOG_DEBUG_MAIL, c->log, 0,
  268.                        "SSL ALPN supported by client: %*s",
  269.                        (size_t) in[i], &in[i + 1]);
  270.     }
  271. #endif

  273.     cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module);

  275.     srv = cscf->protocol->alpn.data;
  276.     srvlen = cscf->protocol->alpn.len;

  278.     if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen,
  279.                               in, inlen)
  280.         != OPENSSL_NPN_NEGOTIATED)
  281.     {
  282.         return SSL_TLSEXT_ERR_ALERT_FATAL;
  283.     }

  285.     ngx_log_debug2(NGX_LOG_DEBUG_MAIL, c->log, 0,
  286.                    "SSL ALPN selected: %*s", (size_t) *outlen, *out);

  288.     return SSL_TLSEXT_ERR_OK;
  289. }

  291. #endif


  294. static void *
  295. ngx_mail_ssl_create_conf(ngx_conf_t *cf)
  296. {
  297.     ngx_mail_ssl_conf_t  *scf;

  299.     scf = ngx_pcalloc(cf->pool, sizeof(ngx_mail_ssl_conf_t));
  300.     if (scf == NULL) {
  301.         return NULL;
  302.     }

  304.     /*
  305.      * set by ngx_pcalloc():
  306.      *
  307.      *     scf->listen = 0;
  308.      *     scf->protocols = 0;
  309.      *     scf->dhparam = { 0, NULL };
  310.      *     scf->ecdh_curve = { 0, NULL };
  311.      *     scf->client_certificate = { 0, NULL };
  312.      *     scf->trusted_certificate = { 0, NULL };
  313.      *     scf->crl = { 0, NULL };
  314.      *     scf->ciphers = { 0, NULL };
  315.      *     scf->shm_zone = NULL;
  316.      */

  318.     scf->starttls = NGX_CONF_UNSET_UINT;
  319.     scf->certificates = NGX_CONF_UNSET_PTR;
  320.     scf->certificate_keys = NGX_CONF_UNSET_PTR;
  321.     scf->passwords = NGX_CONF_UNSET_PTR;
  322.     scf->conf_commands = NGX_CONF_UNSET_PTR;
  323.     scf->prefer_server_ciphers = NGX_CONF_UNSET;
  324.     scf->certificate_compression = NGX_CONF_UNSET;
  325.     scf->verify = NGX_CONF_UNSET_UINT;
  326.     scf->verify_depth = NGX_CONF_UNSET_UINT;
  327.     scf->builtin_session_cache = NGX_CONF_UNSET;
  328.     scf->session_timeout = NGX_CONF_UNSET;
  329.     scf->session_tickets = NGX_CONF_UNSET;
  330.     scf->session_ticket_keys = NGX_CONF_UNSET_PTR;

  332.     return scf;
  333. }


  336. static char *
  337. ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
  338. {
  339.     ngx_mail_ssl_conf_t *prev = parent;
  340.     ngx_mail_ssl_conf_t *conf = child;

  342.     char                *mode;
  343.     ngx_pool_cleanup_t  *cln;

  345.     ngx_conf_merge_uint_value(conf->starttls, prev->starttls,
  346.                          NGX_MAIL_STARTTLS_OFF);

  348.     ngx_conf_merge_value(conf->session_timeout,
  349.                          prev->session_timeout, 300);

  351.     ngx_conf_merge_value(conf->prefer_server_ciphers,
  352.                          prev->prefer_server_ciphers, 0);

  354.     ngx_conf_merge_value(conf->certificate_compression,
  355.                          prev->certificate_compression, 0);

  357.     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
  358.                          (NGX_CONF_BITMASK_SET|NGX_SSL_DEFAULT_PROTOCOLS));

  360.     ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
  361.     ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);

  363.     ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
  364.     ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
  365.                          NULL);

  367.     ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);

  369.     ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");

  371.     ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
  372.                          NGX_DEFAULT_ECDH_CURVE);

  374.     ngx_conf_merge_str_value(conf->client_certificate,
  375.                          prev->client_certificate, "");
  376.     ngx_conf_merge_str_value(conf->trusted_certificate,
  377.                          prev->trusted_certificate, "");
  378.     ngx_conf_merge_str_value(conf->crl, prev->crl, "");

  380.     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);

  382.     ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);


  385.     conf->ssl.log = cf->log;

  387.     if (conf->listen) {
  388.         mode = "listen ... ssl";

  390.     } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) {
  391.         mode = "starttls";

  393.     } else {
  394.         return NGX_CONF_OK;
  395.     }

  397.     if (conf->file == NULL) {
  398.         conf->file = prev->file;
  399.         conf->line = prev->line;
  400.     }

  402.     if (conf->certificates == NULL) {
  403.         ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  404.                       "no \"ssl_certificate\" is defined for "
  405.                       "the \"%s\" directive in %s:%ui",
  406.                       mode, conf->file, conf->line);
  407.         return NGX_CONF_ERROR;
  408.     }

  410.     if (conf->certificate_keys == NULL) {
  411.         ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  412.                       "no \"ssl_certificate_key\" is defined for "
  413.                       "the \"%s\" directive in %s:%ui",
  414.                       mode, conf->file, conf->line);
  415.         return NGX_CONF_ERROR;
  416.     }

  418.     if (conf->certificate_keys->nelts < conf->certificates->nelts) {
  419.         ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  420.                       "no \"ssl_certificate_key\" is defined "
  421.                       "for certificate \"%V\" and "
  422.                       "the \"%s\" directive in %s:%ui",
  423.                       ((ngx_str_t *) conf->certificates->elts)
  424.                       + conf->certificates->nelts - 1,
  425.                       mode, conf->file, conf->line);
  426.         return NGX_CONF_ERROR;
  427.     }

  429.     if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) {
  430.         return NGX_CONF_ERROR;
  431.     }

  433.     cln = ngx_pool_cleanup_add(cf->pool, 0);
  434.     if (cln == NULL) {
  435.         ngx_ssl_cleanup_ctx(&conf->ssl);
  436.         return NGX_CONF_ERROR;
  437.     }

  439.     cln->handler = ngx_ssl_cleanup_ctx;
  440.     cln->data = &conf->ssl;

  442. #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
  443.     SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_mail_ssl_alpn_select, NULL);
  444. #endif

  446.     if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
  447.                         conf->prefer_server_ciphers)
  448.         != NGX_OK)
  449.     {
  450.         return NGX_CONF_ERROR;
  451.     }

  453.     if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
  454.                              conf->certificate_keys, conf->passwords)
  455.         != NGX_OK)
  456.     {
  457.         return NGX_CONF_ERROR;
  458.     }

  460.     if (ngx_ssl_certificate_compression(cf, &conf->ssl,
  461.                                         conf->certificate_compression)
  462.         != NGX_OK)
  463.     {
  464.         return NGX_CONF_ERROR;
  465.     }

  467.     if (conf->verify) {

  469.         if (conf->verify != 3
  470.             && conf->client_certificate.len == 0
  471.             && conf->trusted_certificate.len == 0)
  472.         {
  473.             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  474.                           "no ssl_client_certificate or "
  475.                           "ssl_trusted_certificate for ssl_verify_client");
  476.             return NGX_CONF_ERROR;
  477.         }

  479.         if (ngx_ssl_client_certificate(cf, &conf->ssl,
  480.                                        &conf->client_certificate,
  481.                                        conf->verify_depth)
  482.             != NGX_OK)
  483.         {
  484.             return NGX_CONF_ERROR;
  485.         }

  487.         if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
  488.                                         &conf->trusted_certificate,
  489.                                         conf->verify_depth)
  490.             != NGX_OK)
  491.         {
  492.             return NGX_CONF_ERROR;
  493.         }

  495.         if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
  496.             return NGX_CONF_ERROR;
  497.         }
  498.     }

  500.     if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
  501.         return NGX_CONF_ERROR;
  502.     }

  504.     if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
  505.         return NGX_CONF_ERROR;
  506.     }

  508.     ngx_conf_merge_value(conf->builtin_session_cache,
  509.                          prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);

  511.     if (conf->shm_zone == NULL) {
  512.         conf->shm_zone = prev->shm_zone;
  513.     }

  515.     if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx,
  516.                               conf->certificates, conf->builtin_session_cache,
  517.                               conf->shm_zone, conf->session_timeout)
  518.         != NGX_OK)
  519.     {
  520.         return NGX_CONF_ERROR;
  521.     }

  523.     ngx_conf_merge_value(conf->session_tickets,
  524.                          prev->session_tickets, 1);

  526. #ifdef SSL_OP_NO_TICKET
  527.     if (!conf->session_tickets) {
  528.         SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
  529.     }
  530. #endif

  532.     ngx_conf_merge_ptr_value(conf->session_ticket_keys,
  533.                          prev->session_ticket_keys, NULL);

  535.     if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys)
  536.         != NGX_OK)
  537.     {
  538.         return NGX_CONF_ERROR;
  539.     }

  541.     if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
  542.         return NGX_CONF_ERROR;
  543.     }

  545.     return NGX_CONF_OK;
  546. }


  549. static char *
  550. ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
  551. {
  552.     ngx_mail_ssl_conf_t  *scf = conf;

  554.     char  *rv;

  556.     rv = ngx_conf_set_enum_slot(cf, cmd, conf);

  558.     if (rv != NGX_CONF_OK) {
  559.         return rv;
  560.     }

  562.     if (!scf->listen) {
  563.         scf->file = cf->conf_file->file.name.data;
  564.         scf->line = cf->conf_file->line;
  565.     }

  567.     return NGX_CONF_OK;
  568. }


  571. static char *
  572. ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
  573. {
  574.     ngx_mail_ssl_conf_t  *scf = conf;

  576.     ngx_str_t  *value;

  578.     if (scf->passwords != NGX_CONF_UNSET_PTR) {
  579.         return "is duplicate";
  580.     }

  582.     value = cf->args->elts;

  584.     scf->passwords = ngx_ssl_read_password_file(cf, &value[1]);

  586.     if (scf->passwords == NULL) {
  587.         return NGX_CONF_ERROR;
  588.     }

  590.     return NGX_CONF_OK;
  591. }


  594. static char *
  595. ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
  596. {
  597.     ngx_mail_ssl_conf_t  *scf = conf;

  599.     size_t       len;
  600.     ngx_str_t   *value, name, size;
  601.     ngx_int_t    n;
  602.     ngx_uint_t   i, j;

  604.     value = cf->args->elts;

  606.     for (i = 1; i < cf->args->nelts; i++) {

  608.         if (ngx_strcmp(value[i].data, "off") == 0) {
  609.             scf->builtin_session_cache = NGX_SSL_NO_SCACHE;
  610.             continue;
  611.         }

  613.         if (ngx_strcmp(value[i].data, "none") == 0) {
  614.             scf->builtin_session_cache = NGX_SSL_NONE_SCACHE;
  615.             continue;
  616.         }

  618.         if (ngx_strcmp(value[i].data, "builtin") == 0) {
  619.             scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE;
  620.             continue;
  621.         }

  623.         if (value[i].len > sizeof("builtin:") - 1
  624.             && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1)
  625.                == 0)
  626.         {
  627.             n = ngx_atoi(value[i].data + sizeof("builtin:") - 1,
  628.                          value[i].len - (sizeof("builtin:") - 1));

  630.             if (n == NGX_ERROR) {
  631.                 goto invalid;
  632.             }

  634.             scf->builtin_session_cache = n;

  636.             continue;
  637.         }

  639.         if (value[i].len > sizeof("shared:") - 1
  640.             && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1)
  641.                == 0)
  642.         {
  643.             len = 0;

  645.             for (j = sizeof("shared:") - 1; j < value[i].len; j++) {
  646.                 if (value[i].data[j] == ':') {
  647.                     break;
  648.                 }

  650.                 len++;
  651.             }

  653.             if (len == 0 || j == value[i].len) {
  654.                 goto invalid;
  655.             }

  657.             name.len = len;
  658.             name.data = value[i].data + sizeof("shared:") - 1;

  660.             size.len = value[i].len - j - 1;
  661.             size.data = name.data + len + 1;

  663.             n = ngx_parse_size(&size);

  665.             if (n == NGX_ERROR) {
  666.                 goto invalid;
  667.             }

  669.             if (n < (ngx_int_t) (8 * ngx_pagesize)) {
  670.                 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
  671.                                    "session cache \"%V\" is too small",
  672.                                    &value[i]);

  674.                 return NGX_CONF_ERROR;
  675.             }

  677.             scf->shm_zone = ngx_shared_memory_add(cf, &name, n,
  678.                                                    &ngx_mail_ssl_module);
  679.             if (scf->shm_zone == NULL) {
  680.                 return NGX_CONF_ERROR;
  681.             }

  683.             scf->shm_zone->init = ngx_ssl_session_cache_init;

  685.             continue;
  686.         }

  688.         goto invalid;
  689.     }

  691.     if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) {
  692.         scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE;
  693.     }

  695.     return NGX_CONF_OK;

  697. invalid:

  699.     ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
  700.                        "invalid session cache \"%V\"", &value[i]);

  702.     return NGX_CONF_ERROR;
  703. }


  706. static char *
  707. ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
  708. {
  709. #ifndef SSL_CONF_FLAG_FILE
  710.     return "is not supported on this platform";
  711. #else
  712.     return NGX_CONF_OK;
  713. #endif
  714. }

One Level Up Top Level