One Level Up Top Level

src/mail/ngx_mail_ssl_module.c - nginx-1.7.10

Global variables defined

Functions defined

Macros defined

Source code


  2. /*
  3. * Copyright (C) Igor Sysoev
  4. * Copyright (C) Nginx, Inc.
  5. */


  8. #include <ngx_config.h>
  9. #include <ngx_core.h>
  10. #include <ngx_mail.h>


  13. #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
  14. #define NGX_DEFAULT_ECDH_CURVE  "prime256v1"


  17. static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf);
  18. static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child);

  20. static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
  21.     void *conf);
  22. static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd,
  23.     void *conf);
  24. static char *ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
  25.     void *conf);
  26. static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
  27.     void *conf);


  30. static ngx_conf_enum_t  ngx_mail_starttls_state[] = {
  31.     { ngx_string("off"), NGX_MAIL_STARTTLS_OFF },
  32.     { ngx_string("on"), NGX_MAIL_STARTTLS_ON },
  33.     { ngx_string("only"), NGX_MAIL_STARTTLS_ONLY },
  34.     { ngx_null_string, 0 }
  35. };



  39. static ngx_conf_bitmask_t  ngx_mail_ssl_protocols[] = {
  40.     { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
  41.     { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
  42.     { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
  43.     { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
  44.     { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
  45.     { ngx_null_string, 0 }
  46. };


  49. static ngx_command_t  ngx_mail_ssl_commands[] = {

  51.     { ngx_string("ssl"),
  52.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
  53.       ngx_mail_ssl_enable,
  54.       NGX_MAIL_SRV_CONF_OFFSET,
  55.       offsetof(ngx_mail_ssl_conf_t, enable),
  56.       NULL },

  58.     { ngx_string("starttls"),
  59.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  60.       ngx_mail_ssl_starttls,
  61.       NGX_MAIL_SRV_CONF_OFFSET,
  62.       offsetof(ngx_mail_ssl_conf_t, starttls),
  63.       ngx_mail_starttls_state },

  65.     { ngx_string("ssl_certificate"),
  66.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  67.       ngx_conf_set_str_slot,
  68.       NGX_MAIL_SRV_CONF_OFFSET,
  69.       offsetof(ngx_mail_ssl_conf_t, certificate),
  70.       NULL },

  72.     { ngx_string("ssl_certificate_key"),
  73.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  74.       ngx_conf_set_str_slot,
  75.       NGX_MAIL_SRV_CONF_OFFSET,
  76.       offsetof(ngx_mail_ssl_conf_t, certificate_key),
  77.       NULL },

  79.     { ngx_string("ssl_password_file"),
  80.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  81.       ngx_mail_ssl_password_file,
  82.       NGX_MAIL_SRV_CONF_OFFSET,
  83.       0,
  84.       NULL },

  86.     { ngx_string("ssl_dhparam"),
  87.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  88.       ngx_conf_set_str_slot,
  89.       NGX_MAIL_SRV_CONF_OFFSET,
  90.       offsetof(ngx_mail_ssl_conf_t, dhparam),
  91.       NULL },

  93.     { ngx_string("ssl_ecdh_curve"),
  94.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  95.       ngx_conf_set_str_slot,
  96.       NGX_MAIL_SRV_CONF_OFFSET,
  97.       offsetof(ngx_mail_ssl_conf_t, ecdh_curve),
  98.       NULL },

  100.     { ngx_string("ssl_protocols"),
  101.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE,
  102.       ngx_conf_set_bitmask_slot,
  103.       NGX_MAIL_SRV_CONF_OFFSET,
  104.       offsetof(ngx_mail_ssl_conf_t, protocols),
  105.       &ngx_mail_ssl_protocols },

  107.     { ngx_string("ssl_ciphers"),
  108.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  109.       ngx_conf_set_str_slot,
  110.       NGX_MAIL_SRV_CONF_OFFSET,
  111.       offsetof(ngx_mail_ssl_conf_t, ciphers),
  112.       NULL },

  114.     { ngx_string("ssl_prefer_server_ciphers"),
  115.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
  116.       ngx_conf_set_flag_slot,
  117.       NGX_MAIL_SRV_CONF_OFFSET,
  118.       offsetof(ngx_mail_ssl_conf_t, prefer_server_ciphers),
  119.       NULL },

  121.     { ngx_string("ssl_session_cache"),
  122.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE12,
  123.       ngx_mail_ssl_session_cache,
  124.       NGX_MAIL_SRV_CONF_OFFSET,
  125.       0,
  126.       NULL },

  128.     { ngx_string("ssl_session_tickets"),
  129.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
  130.       ngx_conf_set_flag_slot,
  131.       NGX_MAIL_SRV_CONF_OFFSET,
  132.       offsetof(ngx_mail_ssl_conf_t, session_tickets),
  133.       NULL },

  135.     { ngx_string("ssl_session_ticket_key"),
  136.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  137.       ngx_conf_set_str_array_slot,
  138.       NGX_MAIL_SRV_CONF_OFFSET,
  139.       offsetof(ngx_mail_ssl_conf_t, session_ticket_keys),
  140.       NULL },

  142.     { ngx_string("ssl_session_timeout"),
  143.       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
  144.       ngx_conf_set_sec_slot,
  145.       NGX_MAIL_SRV_CONF_OFFSET,
  146.       offsetof(ngx_mail_ssl_conf_t, session_timeout),
  147.       NULL },

  149.       ngx_null_command
  150. };


  153. static ngx_mail_module_t  ngx_mail_ssl_module_ctx = {
  154.     NULL,                                  /* protocol */

  156.     NULL,                                  /* create main configuration */
  157.     NULL,                                  /* init main configuration */

  159.     ngx_mail_ssl_create_conf,              /* create server configuration */
  160.     ngx_mail_ssl_merge_conf                /* merge server configuration */
  161. };


  164. ngx_module_t  ngx_mail_ssl_module = {
  165.     NGX_MODULE_V1,
  166.     &ngx_mail_ssl_module_ctx,              /* module context */
  167.     ngx_mail_ssl_commands,                 /* module directives */
  168.     NGX_MAIL_MODULE,                       /* module type */
  169.     NULL,                                  /* init master */
  170.     NULL,                                  /* init module */
  171.     NULL,                                  /* init process */
  172.     NULL,                                  /* init thread */
  173.     NULL,                                  /* exit thread */
  174.     NULL,                                  /* exit process */
  175.     NULL,                                  /* exit master */
  176.     NGX_MODULE_V1_PADDING
  177. };


  180. static ngx_str_t ngx_mail_ssl_sess_id_ctx = ngx_string("MAIL");


  183. static void *
  184. ngx_mail_ssl_create_conf(ngx_conf_t *cf)
  185. {
  186.     ngx_mail_ssl_conf_t  *scf;

  188.     scf = ngx_pcalloc(cf->pool, sizeof(ngx_mail_ssl_conf_t));
  189.     if (scf == NULL) {
  190.         return NULL;
  191.     }

  193.     /*
  194.      * set by ngx_pcalloc():
  195.      *
  196.      *     scf->protocols = 0;
  197.      *     scf->certificate = { 0, NULL };
  198.      *     scf->certificate_key = { 0, NULL };
  199.      *     scf->dhparam = { 0, NULL };
  200.      *     scf->ecdh_curve = { 0, NULL };
  201.      *     scf->ciphers = { 0, NULL };
  202.      *     scf->shm_zone = NULL;
  203.      */

  205.     scf->enable = NGX_CONF_UNSET;
  206.     scf->starttls = NGX_CONF_UNSET_UINT;
  207.     scf->passwords = NGX_CONF_UNSET_PTR;
  208.     scf->prefer_server_ciphers = NGX_CONF_UNSET;
  209.     scf->builtin_session_cache = NGX_CONF_UNSET;
  210.     scf->session_timeout = NGX_CONF_UNSET;
  211.     scf->session_tickets = NGX_CONF_UNSET;
  212.     scf->session_ticket_keys = NGX_CONF_UNSET_PTR;

  214.     return scf;
  215. }


  218. static char *
  219. ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
  220. {
  221.     ngx_mail_ssl_conf_t *prev = parent;
  222.     ngx_mail_ssl_conf_t *conf = child;

  224.     char                *mode;
  225.     ngx_pool_cleanup_t  *cln;

  227.     ngx_conf_merge_value(conf->enable, prev->enable, 0);
  228.     ngx_conf_merge_uint_value(conf->starttls, prev->starttls,
  229.                          NGX_MAIL_STARTTLS_OFF);

  231.     ngx_conf_merge_value(conf->session_timeout,
  232.                          prev->session_timeout, 300);

  234.     ngx_conf_merge_value(conf->prefer_server_ciphers,
  235.                          prev->prefer_server_ciphers, 0);

  237.     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
  238.                          (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
  239.                           |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));

  241.     ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
  242.     ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");

  244.     ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);

  246.     ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");

  248.     ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
  249.                          NGX_DEFAULT_ECDH_CURVE);

  251.     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);


  254.     conf->ssl.log = cf->log;

  256.     if (conf->enable) {
  257.        mode = "ssl";

  259.     } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) {
  260.        mode = "starttls";

  262.     } else {
  263.        mode = "";
  264.     }

  266.     if (conf->file == NULL) {
  267.         conf->file = prev->file;
  268.         conf->line = prev->line;
  269.     }

  271.     if (*mode) {

  273.         if (conf->certificate.len == 0) {
  274.             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  275.                           "no \"ssl_certificate\" is defined for "
  276.                           "the \"%s\" directive in %s:%ui",
  277.                           mode, conf->file, conf->line);
  278.             return NGX_CONF_ERROR;
  279.         }

  281.         if (conf->certificate_key.len == 0) {
  282.             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  283.                           "no \"ssl_certificate_key\" is defined for "
  284.                           "the \"%s\" directive in %s:%ui",
  285.                           mode, conf->file, conf->line);
  286.             return NGX_CONF_ERROR;
  287.         }

  289.     } else {

  291.         if (conf->certificate.len == 0) {
  292.             return NGX_CONF_OK;
  293.         }

  295.         if (conf->certificate_key.len == 0) {
  296.             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
  297.                           "no \"ssl_certificate_key\" is defined "
  298.                           "for certificate \"%V\"",
  299.                           &conf->certificate);
  300.             return NGX_CONF_ERROR;
  301.         }
  302.     }

  304.     if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) {
  305.         return NGX_CONF_ERROR;
  306.     }

  308.     cln = ngx_pool_cleanup_add(cf->pool, 0);
  309.     if (cln == NULL) {
  310.         return NGX_CONF_ERROR;
  311.     }

  313.     cln->handler = ngx_ssl_cleanup_ctx;
  314.     cln->data = &conf->ssl;

  316.     if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate,
  317.                             &conf->certificate_key, conf->passwords)
  318.         != NGX_OK)
  319.     {
  320.         return NGX_CONF_ERROR;
  321.     }

  323.     if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
  324.                                 (const char *) conf->ciphers.data)
  325.         == 0)
  326.     {
  327.         ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
  328.                       "SSL_CTX_set_cipher_list(\"%V\") failed",
  329.                       &conf->ciphers);
  330.         return NGX_CONF_ERROR;
  331.     }

  333.     if (conf->prefer_server_ciphers) {
  334.         SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
  335.     }

  337.     SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);

  339.     if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
  340.         return NGX_CONF_ERROR;
  341.     }

  343.     if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
  344.         return NGX_CONF_ERROR;
  345.     }

  347.     ngx_conf_merge_value(conf->builtin_session_cache,
  348.                          prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);

  350.     if (conf->shm_zone == NULL) {
  351.         conf->shm_zone = prev->shm_zone;
  352.     }

  354.     if (ngx_ssl_session_cache(&conf->ssl, &ngx_mail_ssl_sess_id_ctx,
  355.                               conf->builtin_session_cache,
  356.                               conf->shm_zone, conf->session_timeout)
  357.         != NGX_OK)
  358.     {
  359.         return NGX_CONF_ERROR;
  360.     }

  362.     ngx_conf_merge_value(conf->session_tickets,
  363.                          prev->session_tickets, 1);

  365. #ifdef SSL_OP_NO_TICKET
  366.     if (!conf->session_tickets) {
  367.         SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
  368.     }
  369. #endif

  371.     ngx_conf_merge_ptr_value(conf->session_ticket_keys,
  372.                          prev->session_ticket_keys, NULL);

  374.     if (ngx_ssl_session_ticket_keys(cf, &conf->ssl, conf->session_ticket_keys)
  375.         != NGX_OK)
  376.     {
  377.         return NGX_CONF_ERROR;
  378.     }

  380.     return NGX_CONF_OK;
  381. }


  384. static char *
  385. ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
  386. {
  387.     ngx_mail_ssl_conf_t  *scf = conf;

  389.     char  *rv;

  391.     rv = ngx_conf_set_flag_slot(cf, cmd, conf);

  393.     if (rv != NGX_CONF_OK) {
  394.         return rv;
  395.     }

  397.     if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) {
  398.         ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
  399.                            "\"starttls\" directive conflicts with \"ssl on\"");
  400.         return NGX_CONF_ERROR;
  401.     }

  403.     scf->file = cf->conf_file->file.name.data;
  404.     scf->line = cf->conf_file->line;

  406.     return NGX_CONF_OK;
  407. }


  410. static char *
  411. ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
  412. {
  413.     ngx_mail_ssl_conf_t  *scf = conf;

  415.     char  *rv;

  417.     rv = ngx_conf_set_enum_slot(cf, cmd, conf);

  419.     if (rv != NGX_CONF_OK) {
  420.         return rv;
  421.     }

  423.     if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) {
  424.         ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
  425.                            "\"ssl\" directive conflicts with \"starttls\"");
  426.         return NGX_CONF_ERROR;
  427.     }

  429.     scf->file = cf->conf_file->file.name.data;
  430.     scf->line = cf->conf_file->line;

  432.     return NGX_CONF_OK;
  433. }


  436. static char *
  437. ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
  438. {
  439.     ngx_mail_ssl_conf_t  *scf = conf;

  441.     ngx_str_t  *value;

  443.     if (scf->passwords != NGX_CONF_UNSET_PTR) {
  444.         return "is duplicate";
  445.     }

  447.     value = cf->args->elts;

  449.     scf->passwords = ngx_ssl_read_password_file(cf, &value[1]);

  451.     if (scf->passwords == NULL) {
  452.         return NGX_CONF_ERROR;
  453.     }

  455.     return NGX_CONF_OK;
  456. }


  459. static char *
  460. ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
  461. {
  462.     ngx_mail_ssl_conf_t  *scf = conf;

  464.     size_t       len;
  465.     ngx_str_t   *value, name, size;
  466.     ngx_int_t    n;
  467.     ngx_uint_t   i, j;

  469.     value = cf->args->elts;

  471.     for (i = 1; i < cf->args->nelts; i++) {

  473.         if (ngx_strcmp(value[i].data, "off") == 0) {
  474.             scf->builtin_session_cache = NGX_SSL_NO_SCACHE;
  475.             continue;
  476.         }

  478.         if (ngx_strcmp(value[i].data, "none") == 0) {
  479.             scf->builtin_session_cache = NGX_SSL_NONE_SCACHE;
  480.             continue;
  481.         }

  483.         if (ngx_strcmp(value[i].data, "builtin") == 0) {
  484.             scf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE;
  485.             continue;
  486.         }

  488.         if (value[i].len > sizeof("builtin:") - 1
  489.             && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1)
  490.                == 0)
  491.         {
  492.             n = ngx_atoi(value[i].data + sizeof("builtin:") - 1,
  493.                          value[i].len - (sizeof("builtin:") - 1));

  495.             if (n == NGX_ERROR) {
  496.                 goto invalid;
  497.             }

  499.             scf->builtin_session_cache = n;

  501.             continue;
  502.         }

  504.         if (value[i].len > sizeof("shared:") - 1
  505.             && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1)
  506.                == 0)
  507.         {
  508.             len = 0;

  510.             for (j = sizeof("shared:") - 1; j < value[i].len; j++) {
  511.                 if (value[i].data[j] == ':') {
  512.                     break;
  513.                 }

  515.                 len++;
  516.             }

  518.             if (len == 0) {
  519.                 goto invalid;
  520.             }

  522.             name.len = len;
  523.             name.data = value[i].data + sizeof("shared:") - 1;

  525.             size.len = value[i].len - j - 1;
  526.             size.data = name.data + len + 1;

  528.             n = ngx_parse_size(&size);

  530.             if (n == NGX_ERROR) {
  531.                 goto invalid;
  532.             }

  534.             if (n < (ngx_int_t) (8 * ngx_pagesize)) {
  535.                 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
  536.                                    "session cache \"%V\" is too small",
  537.                                    &value[i]);

  539.                 return NGX_CONF_ERROR;
  540.             }

  542.             scf->shm_zone = ngx_shared_memory_add(cf, &name, n,
  543.                                                    &ngx_mail_ssl_module);
  544.             if (scf->shm_zone == NULL) {
  545.                 return NGX_CONF_ERROR;
  546.             }

  548.             scf->shm_zone->init = ngx_ssl_session_cache_init;

  550.             continue;
  551.         }

  553.         goto invalid;
  554.     }

  556.     if (scf->shm_zone && scf->builtin_session_cache == NGX_CONF_UNSET) {
  557.         scf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE;
  558.     }

  560.     return NGX_CONF_OK;

  562. invalid:

  564.     ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
  565.                        "invalid session cache \"%V\"", &value[i]);

  567.     return NGX_CONF_ERROR;
  568. }

One Level Up Top Level