Fijxu/nginx-quic
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

DH parameters, ssl_dhparam

Browse source
This commit is contained in:
Igor Sysoev 2008-06-16 05:51:32 +00:00
parent 1c3b27b4bd
commit d512987c1e
6 changed files with 120 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

84
src/event/ngx_event_openssl.c
View file

@ -182,6 +182,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
#endif #endif
SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
if (ngx_ssl_protocols[protocols >> 1] != 0) { if (ngx_ssl_protocols[protocols >> 1] != 0) {
SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
@ -351,6 +352,89 @@ ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl)
} }
ngx_int_t
ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
{
DH *dh;
BIO *bio;
/*
* -----BEGIN DH PARAMETERS-----
* MIGHAoGBALu8LcrYRnSQfEP89YDpz9vZWKP1aLQtSwju1OsPs1BMbAMCducQgAxc
* y7qokiYUxb7spWWl/fHSh6K8BJvmd4Bg6RqSp1fjBI9osHb302zI8pul34HcLKcl
* 7OZicMyaUDXYzs7vnqAnSmOrHlj6/UmI0PZdFGdX2gcd8EXP4WubAgEC
* -----END DH PARAMETERS-----
*/
static unsigned char dh1024_p[] = {
0xBB, 0xBC, 0x2D, 0xCA, 0xD8, 0x46, 0x74, 0x90, 0x7C, 0x43, 0xFC, 0xF5,
0x80, 0xE9, 0xCF, 0xDB, 0xD9, 0x58, 0xA3, 0xF5, 0x68, 0xB4, 0x2D, 0x4B,
0x08, 0xEE, 0xD4, 0xEB, 0x0F, 0xB3, 0x50, 0x4C, 0x6C, 0x03, 0x02, 0x76,
0xE7, 0x10, 0x80, 0x0C, 0x5C, 0xCB, 0xBA, 0xA8, 0x92, 0x26, 0x14, 0xC5,
0xBE, 0xEC, 0xA5, 0x65, 0xA5, 0xFD, 0xF1, 0xD2, 0x87, 0xA2, 0xBC, 0x04,
0x9B, 0xE6, 0x77, 0x80, 0x60, 0xE9, 0x1A, 0x92, 0xA7, 0x57, 0xE3, 0x04,
0x8F, 0x68, 0xB0, 0x76, 0xF7, 0xD3, 0x6C, 0xC8, 0xF2, 0x9B, 0xA5, 0xDF,
0x81, 0xDC, 0x2C, 0xA7, 0x25, 0xEC, 0xE6, 0x62, 0x70, 0xCC, 0x9A, 0x50,
0x35, 0xD8, 0xCE, 0xCE, 0xEF, 0x9E, 0xA0, 0x27, 0x4A, 0x63, 0xAB, 0x1E,
0x58, 0xFA, 0xFD, 0x49, 0x88, 0xD0, 0xF6, 0x5D, 0x14, 0x67, 0x57, 0xDA,
0x07, 0x1D, 0xF0, 0x45, 0xCF, 0xE1, 0x6B, 0x9B
};
static unsigned char dh1024_g[] = { 0x02 };
if (file->len == 0) {
dh = DH_new();
if (dh == NULL) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "DH_new() failed");
return NGX_ERROR;
}
dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
if (dh->p == NULL || dh->g == NULL) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "BN_bin2bn() failed");
DH_free(dh);
return NGX_ERROR;
}
SSL_CTX_set_tmp_dh(ssl->ctx, dh);
DH_free(dh);
return NGX_OK;
}
if (ngx_conf_full_name(cf->cycle, file, 1) == NGX_ERROR) {
return NGX_ERROR;
}
bio = BIO_new_file((char *) file->data, "r");
if (bio == NULL) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"BIO_new_file(\"%s\") failed", file->data);
return NGX_ERROR;
}
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
if (dh == NULL) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"PEM_read_bio_DHparams(\"%s\") failed", file->data);
BIO_free(bio);
return NGX_ERROR;
}
SSL_CTX_set_tmp_dh(ssl->ctx, dh);
DH_free(dh);
BIO_free(bio);
return NGX_OK;
}
ngx_int_t ngx_int_t
ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
{ {

1
src/event/ngx_event_openssl.h
View file

@ -101,6 +101,7 @@ ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth); ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl); ngx_int_t ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl);
ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,

23
src/http/modules/ngx_http_ssl_module.c
View file

@ -72,6 +72,13 @@ static ngx_command_t ngx_http_ssl_commands[] = {
offsetof(ngx_http_ssl_srv_conf_t, certificate_key), offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
NULL }, NULL },
{ ngx_string("ssl_dhparam"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
NGX_HTTP_SRV_CONF_OFFSET,
offsetof(ngx_http_ssl_srv_conf_t, dhparam),
NULL },
{ ngx_string("ssl_protocols"), { ngx_string("ssl_protocols"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE, NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
ngx_conf_set_bitmask_slot, ngx_conf_set_bitmask_slot,
@ -287,12 +294,10 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
* set by ngx_pcalloc(): * set by ngx_pcalloc():
* *
* sscf->protocols = 0; * sscf->protocols = 0;
* sscf->certificate.len = 0; * sscf->certificate = { 0, NULL };
* sscf->certificate.data = NULL; * sscf->certificate_key = { 0, NULL };
* sscf->certificate_key.len = 0; * sscf->dhparam = { 0, NULL };
* sscf->certificate_key.data = NULL; * sscf->client_certificate = { 0, NULL };
* sscf->client_certificate.len = 0;
* sscf->client_certificate.data = NULL;
* sscf->ciphers.len = 0; * sscf->ciphers.len = 0;
* sscf->ciphers.data = NULL; * sscf->ciphers.data = NULL;
* sscf->shm_zone = NULL; * sscf->shm_zone = NULL;
@ -342,6 +347,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
NGX_DEFLAUT_CERTIFICATE_KEY); NGX_DEFLAUT_CERTIFICATE_KEY);
ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
""); "");
@ -414,6 +421,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
return NGX_CONF_ERROR;
}
ngx_conf_merge_value(conf->builtin_session_cache, ngx_conf_merge_value(conf->builtin_session_cache,
prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);

1
src/http/modules/ngx_http_ssl_module.h
View file

@ -31,6 +31,7 @@ typedef struct {
ngx_str_t certificate; ngx_str_t certificate;
ngx_str_t certificate_key; ngx_str_t certificate_key;
ngx_str_t dhparam;
ngx_str_t client_certificate; ngx_str_t client_certificate;
ngx_str_t ciphers; ngx_str_t ciphers;

20
src/mail/ngx_mail_ssl_module.c
View file

@ -76,6 +76,13 @@ static ngx_command_t ngx_mail_ssl_commands[] = {
offsetof(ngx_mail_ssl_conf_t, certificate_key), offsetof(ngx_mail_ssl_conf_t, certificate_key),
NULL }, NULL },
{ ngx_string("ssl_dhparam"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
NGX_MAIL_SRV_CONF_OFFSET,
offsetof(ngx_mail_ssl_conf_t, dhparam),
NULL },
{ ngx_string("ssl_protocols"), { ngx_string("ssl_protocols"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE, NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE,
ngx_conf_set_bitmask_slot, ngx_conf_set_bitmask_slot,
@ -163,10 +170,9 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
* set by ngx_pcalloc(): * set by ngx_pcalloc():
* *
* scf->protocols = 0; * scf->protocols = 0;
* scf->certificate.len = 0; * scf->certificate = { 0, NULL };
* scf->certificate.data = NULL; * scf->certificate_key = { 0, NULL };
* scf->certificate_key.len = 0; * scf->dhparam = { 0, NULL };
* scf->certificate_key.data = NULL;
* scf->ciphers.len = 0; * scf->ciphers.len = 0;
* scf->ciphers.data = NULL; * scf->ciphers.data = NULL;
* scf->shm_zone = NULL; * scf->shm_zone = NULL;
@ -213,6 +219,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
NGX_DEFLAUT_CERTIFICATE_KEY); NGX_DEFLAUT_CERTIFICATE_KEY);
ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS); ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS);
@ -260,6 +268,10 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
return NGX_CONF_ERROR;
}
ngx_conf_merge_value(conf->builtin_session_cache, ngx_conf_merge_value(conf->builtin_session_cache,
prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);

1
src/mail/ngx_mail_ssl_module.h
View file

@ -34,6 +34,7 @@ typedef struct {
ngx_str_t certificate; ngx_str_t certificate;
ngx_str_t certificate_key; ngx_str_t certificate_key;
ngx_str_t dhparam;
ngx_str_t ciphers; ngx_str_t ciphers;