1
2 /*
3 * Copyright (C) Igor Sysoev
4 */
5
6
7 #include <ngx_config.h>
8 #include <ngx_core.h>
9 #include <ngx_mail.h>
10
11
12 #define NGX_DEFAULT_CIPHERS "HIGH:!ADH:!MD5"
13
14
15 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf);
16 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child);
17
18 static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
19 void *conf);
20 static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd,
21 void *conf);
22 static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
23 void *conf);
24
25
26 static ngx_conf_enum_t ngx_http_starttls_state[] = {
27 { ngx_string("off"), NGX_MAIL_STARTTLS_OFF },
28 { ngx_string("on"), NGX_MAIL_STARTTLS_ON },
29 { ngx_string("only"), NGX_MAIL_STARTTLS_ONLY },
30 { ngx_null_string, 0 }
31 };
32
33
34
35 static ngx_conf_bitmask_t ngx_mail_ssl_protocols[] = {
36 { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
37 { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
38 { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
39 { ngx_null_string, 0 }
40 };
41
42
43 static ngx_command_t ngx_mail_ssl_commands[] = {
44
45 { ngx_string("ssl"),
46 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
47 ngx_mail_ssl_enable,
48 NGX_MAIL_SRV_CONF_OFFSET,
49 offsetof(ngx_mail_ssl_conf_t, enable),
50 NULL },
51
52 { ngx_string("starttls"),
53 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
54 ngx_mail_ssl_starttls,
55 NGX_MAIL_SRV_CONF_OFFSET,
56 offsetof(ngx_mail_ssl_conf_t, starttls),
57 ngx_http_starttls_state },
58
59 { ngx_string("ssl_certificate"),
60 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
61 ngx_conf_set_str_slot,
62 NGX_MAIL_SRV_CONF_OFFSET,
63 offsetof(ngx_mail_ssl_conf_t, certificate),
64 NULL },
65
66 { ngx_string("ssl_certificate_key"),
67 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
68 ngx_conf_set_str_slot,
69 NGX_MAIL_SRV_CONF_OFFSET,
70 offsetof(ngx_mail_ssl_conf_t, certificate_key),
71 NULL },
72
73 { ngx_string("ssl_dhparam"),
74 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
75 ngx_conf_set_str_slot,
76 NGX_MAIL_SRV_CONF_OFFSET,
77 offsetof(ngx_mail_ssl_conf_t, dhparam),
78 NULL },
79
80 { ngx_string("ssl_protocols"),
81 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE,
82 ngx_conf_set_bitmask_slot,
83 NGX_MAIL_SRV_CONF_OFFSET,
84 offsetof(ngx_mail_ssl_conf_t, protocols),
85 &ngx_mail_ssl_protocols },
86
87 { ngx_string("ssl_ciphers"),
88 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
89 ngx_conf_set_str_slot,
90 NGX_MAIL_SRV_CONF_OFFSET,
91 offsetof(ngx_mail_ssl_conf_t, ciphers),
92 NULL },
93
94 { ngx_string("ssl_prefer_server_ciphers"),
95 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
96 ngx_conf_set_flag_slot,
97 NGX_MAIL_SRV_CONF_OFFSET,
98 offsetof(ngx_mail_ssl_conf_t, prefer_server_ciphers),
99 NULL },
100
101 { ngx_string("ssl_session_cache"),
102 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12,
103 ngx_mail_ssl_session_cache,
104 NGX_MAIL_SRV_CONF_OFFSET,
105 0,
106 NULL },
107
108 { ngx_string("ssl_session_timeout"),
109 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
110 ngx_conf_set_sec_slot,
111 NGX_MAIL_SRV_CONF_OFFSET,
112 offsetof(ngx_mail_ssl_conf_t, session_timeout),
113 NULL },
114
115 ngx_null_command
116 };
117
118
119 static ngx_mail_module_t ngx_mail_ssl_module_ctx = {
120 NULL, /* protocol */
121
122 NULL, /* create main configuration */
123 NULL, /* init main configuration */
124
125 ngx_mail_ssl_create_conf, /* create server configuration */
126 ngx_mail_ssl_merge_conf /* merge server configuration */
127 };
128
129
130 ngx_module_t ngx_mail_ssl_module = {
131 NGX_MODULE_V1,
132 &ngx_mail_ssl_module_ctx, /* module context */
133 ngx_mail_ssl_commands, /* module directives */
134 NGX_MAIL_MODULE, /* module type */
135 NULL, /* init master */
136 NULL, /* init module */
137 NULL, /* init process */
138 NULL, /* init thread */
139 NULL, /* exit thread */
140 NULL, /* exit process */
141 NULL, /* exit master */
142 NGX_MODULE_V1_PADDING
143 };
144
145
146 static ngx_str_t ngx_mail_ssl_sess_id_ctx = ngx_string("MAIL");
147
148
149 static void *
150 ngx_mail_ssl_create_conf(ngx_conf_t *cf)
151 {
152 ngx_mail_ssl_conf_t *scf;
153
154 scf = ngx_pcalloc(cf->pool, sizeof(ngx_mail_ssl_conf_t));
155 if (scf == NULL) {
156 return NULL;
157 }
158
159 /*
160 * set by ngx_pcalloc():
161 *
162 * scf->protocols = 0;
163 * scf->certificate = { 0, NULL };
164 * scf->certificate_key = { 0, NULL };
165 * scf->dhparam = { 0, NULL };
166 * scf->ciphers.len = 0;
167 * scf->ciphers.data = NULL;
168 * scf->shm_zone = NULL;
169 */
170
171 scf->enable = NGX_CONF_UNSET;
172 scf->starttls = NGX_CONF_UNSET_UINT;
173 scf->prefer_server_ciphers = NGX_CONF_UNSET;
174 scf->builtin_session_cache = NGX_CONF_UNSET;
175 scf->session_timeout = NGX_CONF_UNSET;
176
177 return scf;
178 }
179
180
181 static char *
182 ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
183 {
184 ngx_mail_ssl_conf_t *prev = parent;
185 ngx_mail_ssl_conf_t *conf = child;
186
187 char *mode;
188 ngx_pool_cleanup_t *cln;
189
190 ngx_conf_merge_value(conf->enable, prev->enable, 0);
191 ngx_conf_merge_uint_value(conf->starttls, prev->starttls,
192 NGX_MAIL_STARTTLS_OFF);
193
194 ngx_conf_merge_value(conf->session_timeout,
195 prev->session_timeout, 300);
196
197 ngx_conf_merge_value(conf->prefer_server_ciphers,
198 prev->prefer_server_ciphers, 0);
199
200 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
201 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
202
203 ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
204 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
205
206 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
207
208 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
209
210
211 conf->ssl.log = cf->log;
212
213 if (conf->enable) {
214 mode = "ssl";
215
216 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) {
217 mode = "starttls";
218
219 } else {
220 mode = "";
221 }
222
223 if (*mode) {
224
225 if (conf->certificate.len == 0) {
226 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
227 "no \"ssl_certificate\" is defined for "
228 "the \"%s\" directive in %s:%ui",
229 mode, conf->file, conf->line);
230 return NGX_CONF_ERROR;
231 }
232
233 if (conf->certificate_key.len == 0) {
234 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
235 "no \"ssl_certificate_key\" is defined for "
236 "the \"%s\" directive in %s:%ui",
237 mode, conf->file, conf->line);
238 return NGX_CONF_ERROR;
239 }
240
241 } else {
242
243 if (conf->certificate.len == 0) {
244 return NGX_CONF_OK;
245 }
246
247 if (conf->certificate_key.len == 0) {
248 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
249 "no \"ssl_certificate_key\" is defined "
250 "for certificate \"%V\"",
251 &conf->certificate);
252 return NGX_CONF_ERROR;
253 }
254 }
255
256 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) {
257 return NGX_CONF_ERROR;
258 }
259
260 cln = ngx_pool_cleanup_add(cf->pool, 0);
261 if (cln == NULL) {
262 return NGX_CONF_ERROR;
263 }
264
265 cln->handler = ngx_ssl_cleanup_ctx;
266 cln->data = &conf->ssl;
267
268 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate,
269 &conf->certificate_key)
270 != NGX_OK)
271 {
272 return NGX_CONF_ERROR;
273 }
274
275 if (conf->ciphers.len) {
276 if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
277 (const char *) conf->ciphers.data)
278 == 0)
279 {
280 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
281 "SSL_CTX_set_cipher_list(\"%V\") failed",
282 &conf->ciphers);
283 }
284 }
285
286 if (conf->prefer_server_ciphers) {
287 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
288 }
289
290 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) {
291 return NGX_CONF_ERROR;
292 }
293
294 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
295 return NGX_CONF_ERROR;
296 }
297
298 ngx_conf_merge_value(conf->builtin_session_cache,
299 prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
300
301 if (conf->shm_zone == NULL) {
302 conf->shm_zone = prev->shm_zone;
303 }
304
305 if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx,
306 conf->builtin_session_cache,
307 conf->shm_zone, conf->session_timeout)
308 != NGX_OK)
309 {
310 return NGX_CONF_ERROR;
311 }
312
313 return NGX_CONF_OK;
314 }
315
316
317 static char *
318 ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
319 {
320 ngx_mail_ssl_conf_t *scf = conf;
321
322 char *rv;
323
324 rv = ngx_conf_set_flag_slot(cf, cmd, conf);
325
326 if (rv != NGX_CONF_OK) {
327 return rv;
328 }
329
330 if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) {
331 ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
332 "\"starttls\" directive conflicts with \"ssl on\"");
333 return NGX_CONF_ERROR;
334 }
335
336 scf->file = cf->conf_file->file.name.data;
337 scf->line = cf->conf_file->line;
338
339 return NGX_CONF_OK;
340 }
341
342
343 static char *
344 ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
345 {
346 ngx_mail_ssl_conf_t *scf = conf;
347
348 char *rv;
349
350 rv = ngx_conf_set_enum_slot(cf, cmd, conf);
351
352 if (rv != NGX_CONF_OK) {
353 return rv;
354 }
355
356 if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) {
357 ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
358 "\"ssl\" directive conflicts with \"starttls\"");
359 return NGX_CONF_ERROR;
360 }
361
362 scf->file = cf->conf_file->file.name.data;
363 scf->line = cf->conf_file->line;
364
365 return NGX_CONF_OK;
366 }
367
368
369 static char *
370 ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
371 {
372 ngx_mail_ssl_conf_t *scf = conf;
373
374 size_t len;
375 ngx_str_t *value, name, size;
376 ngx_int_t n;
377 ngx_uint_t i, j;
378
379 value = cf->args->elts;
380
381 for (i = 1; i < cf->args->nelts; i++) {
382
383 if (ngx_strcmp(value[i].data, "off") == 0) {
384 scf->builtin_session_cache = NGX_SSL_NO_SCACHE;
385 continue;
386 }
387
388 if (ngx_strcmp(value[i].data, "none") == 0) {
389 scf->builtin_session_cache = NGX_SSL_NONE_SCACHE;
390 continue;
391 }
392
393 if (ngx_strcmp(value[i].data, "builtin") == 0) {
394 scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE;
395 continue;
396 }
397
398 if (value[i].len > sizeof("builtin:") - 1
399 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1)
400 == 0)
401 {
402 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1,
403 value[i].len - (sizeof("builtin:") - 1));
404
405 if (n == NGX_ERROR) {
406 goto invalid;
407 }
408
409 scf->builtin_session_cache = n;
410
411 continue;
412 }
413
414 if (value[i].len > sizeof("shared:") - 1
415 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1)
416 == 0)
417 {
418 len = 0;
419
420 for (j = sizeof("shared:") - 1; j < value[i].len; j++) {
421 if (value[i].data[j] == ':') {
422 break;
423 }
424
425 len++;
426 }
427
428 if (len == 0) {
429 goto invalid;
430 }
431
432 name.len = len;
433 name.data = value[i].data + sizeof("shared:") - 1;
434
435 size.len = value[i].len - j - 1;
436 size.data = name.data + len + 1;
437
438 n = ngx_parse_size(&size);
439
440 if (n == NGX_ERROR) {
441 goto invalid;
442 }
443
444 if (n < (ngx_int_t) (8 * ngx_pagesize)) {
445 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
446 "session cache \"%V\" is too small",
447 &value[i]);
448
449 return NGX_CONF_ERROR;
450 }
451
452 scf->shm_zone = ngx_shared_memory_add(cf, &name, n,
453 &ngx_mail_ssl_module);
454 if (scf->shm_zone == NULL) {
455 return NGX_CONF_ERROR;
456 }
457
458 continue;
459 }
460
461 goto invalid;
462 }
463
464 if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) {
465 scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE;
466 }
467
468 return NGX_CONF_OK;
469
470 invalid:
471
472 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
473 "invalid session cache \"%V\"", &value[i]);
474
475 return NGX_CONF_ERROR;
476 }
477
This page was automatically generated by the
LXR engine.
Visit the LXR main site for more
information.