Add multiple certificate support.

This commit also de-duplicates most of the ngx_*_ssl_ct_merge_srv_conf functions. BoringSSL does not support serving a different SCT list for each certificate. (In fact, I'm not even sure if BoringSSL supports multiple certificates at all.) A warning message is printed if a BoringSSL user attempts to use the module in combination with multiple certificates.
grahamedgecombe · Jul 10, 2016 · 08c84f7 · 08c84f7
1 parent 24774dc
commit 08c84f7
Show file tree

Hide file tree

Showing 6 changed files with 205 additions and 194 deletions.
diff --git a/config b/config
@@ -30,7 +30,7 @@ if test -n "$ngx_module_link"; then
         ngx_module_deps="$ngx_addon_dir/ngx_ssl_ct_module.h"
         ngx_module_srcs="$ngx_addon_dir/ngx_http_ssl_ct_module.c"
         ngx_module_libs=OPENSSL
-        ngx_module_order="ngx_http_ssl_module $ngx_module_name"
+        ngx_module_order="ngx_http_ssl_module ngx_ssl_ct_module $ngx_module_name"
         . auto/module
 
         found_any=yes
@@ -42,7 +42,7 @@ if test -n "$ngx_module_link"; then
         ngx_module_deps="$ngx_addon_dir/ngx_ssl_ct_module.h"
         ngx_module_srcs="$ngx_addon_dir/ngx_mail_ssl_ct_module.c"
         ngx_module_libs=OPENSSL
-        ngx_module_order="ngx_mail_ssl_module $ngx_module_name"
+        ngx_module_order="ngx_mail_ssl_module ngx_ssl_ct_module $ngx_module_name"
         . auto/module
 
         found_any=yes
@@ -54,7 +54,7 @@ if test -n "$ngx_module_link"; then
         ngx_module_deps="$ngx_addon_dir/ngx_ssl_ct_module.h"
         ngx_module_srcs="$ngx_addon_dir/ngx_stream_ssl_ct_module.c"
         ngx_module_libs=OPENSSL
-        ngx_module_order="ngx_stream_ssl_module $ngx_module_name"
+        ngx_module_order="ngx_stream_ssl_module ngx_ssl_ct_module $ngx_module_name"
         . auto/module
 
         found_any=yes

diff --git a/ngx_http_ssl_ct_module.c b/ngx_http_ssl_ct_module.c
@@ -46,9 +46,9 @@ static ngx_command_t ngx_http_ssl_ct_commands[] = {
     {
         ngx_string("ssl_ct_static_scts"),
         NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_CONF_TAKE1,
-        &ngx_conf_set_str_slot,
+        &ngx_conf_set_str_array_slot,
         NGX_HTTP_SRV_CONF_OFFSET,
-        offsetof(ngx_ssl_ct_srv_conf_t, sct),
+        offsetof(ngx_ssl_ct_srv_conf_t, sct_dirs),
         NULL
     },
     ngx_null_command
@@ -72,68 +72,20 @@ ngx_module_t ngx_http_ssl_ct_module = {
 static char *ngx_http_ssl_ct_merge_srv_conf(ngx_conf_t *cf, void *parent,
     void *child)
 {
-    /* merge config */
-    ngx_ssl_ct_srv_conf_t *prev = parent;
-    ngx_ssl_ct_srv_conf_t *conf = child;
-
-    ngx_conf_merge_value(conf->enable, prev->enable, 0);
-    ngx_conf_merge_str_value(conf->sct, prev->sct, "");
-
-    /* validate config */
-    if (conf->enable)
-    {
-        if (conf->sct.len == 0)
-        {
-            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                "no \"ssl_ct_static_scts\" is defined for the \"ssl_ct\""
-                "directive");
-            return NGX_CONF_ERROR;
-        }
-    }
-    else
-    {
-        return NGX_CONF_OK;
-    }
-
-    /* get ngx_http_ssl_module configuration and check if SSL is enabled */
     ngx_http_ssl_srv_conf_t *ssl_conf = ngx_http_conf_get_module_srv_conf(cf,
         ngx_http_ssl_module);
 
-    if (!ssl_conf->ssl.ctx)
-    {
-        ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-            "\"ssl_ct\" can only be enabled if ssl is enabled");
-        return NGX_CONF_ERROR;
-    }
+    ngx_array_t *certificates;
 
-    /* read .sct files */
-    ngx_ssl_ct_ext *sct_list = ngx_ssl_ct_read_static_scts(cf, &conf->sct);
-    if (!sct_list)
-    {
-        /* ngx_ssl_ct_read_static_scts calls ngx_log_error */
-        return NGX_CONF_ERROR;
-    }
-
-    /* add OpenSSL TLS extension */
-#ifndef OPENSSL_IS_BORINGSSL
-    if (SSL_CTX_add_server_custom_ext(ssl_conf->ssl.ctx, NGX_SSL_CT_EXT,
-        &ngx_ssl_ct_ext_cb, NULL, sct_list, NULL, NULL) == 0)
-    {
-        ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-            "SSL_CTX_add_server_custom_ext failed");
-        ngx_pfree(cf->pool, sct_list);
-        return NGX_CONF_ERROR;
-    }
+#if nginx_version >= 1011000
+    certificates = ssl_conf->certificates;
 #else
-    if (SSL_CTX_set_signed_cert_timestamp_list(ssl_conf->ssl.ctx, sct_list->buf,
-        sct_list->len) == 0)
-    {
-        ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-            "SSL_CTX_set_signed_cert_timestamp_list failed");
-        ngx_pfree(cf->pool, sct_list);
-        return NGX_CONF_ERROR;
-    }
+    certificates = ngx_array_create(cf->pool, 1, sizeof(ngx_str_t));
+
+    ngx_str_t *certificate = ngx_array_push(certificates);
+    *certificate = ssl_conf->certificate;
 #endif
 
-    return NGX_CONF_OK;
+    return ngx_ssl_ct_merge_srv_conf(cf, parent, child, ssl_conf->ssl.ctx,
+        certificates);
 }
diff --git a/ngx_mail_ssl_ct_module.c b/ngx_mail_ssl_ct_module.c
@@ -42,9 +42,9 @@ static ngx_command_t ngx_mail_ssl_ct_commands[] = {
     {
         ngx_string("ssl_ct_static_scts"),
         NGX_MAIL_MAIN_CONF | NGX_MAIL_SRV_CONF | NGX_CONF_TAKE1,
-        &ngx_conf_set_str_slot,
+        &ngx_conf_set_str_array_slot,
         NGX_MAIL_SRV_CONF_OFFSET,
-        offsetof(ngx_ssl_ct_srv_conf_t, sct),
+        offsetof(ngx_ssl_ct_srv_conf_t, sct_dirs),
         NULL
     },
     ngx_null_command
@@ -68,68 +68,20 @@ ngx_module_t ngx_mail_ssl_ct_module = {
 static char *ngx_mail_ssl_ct_merge_srv_conf(ngx_conf_t *cf, void *parent,
     void *child)
 {
-    /* merge config */
-    ngx_ssl_ct_srv_conf_t *prev = parent;
-    ngx_ssl_ct_srv_conf_t *conf = child;
-
-    ngx_conf_merge_value(conf->enable, prev->enable, 0);
-    ngx_conf_merge_str_value(conf->sct, prev->sct, "");
-
-    /* validate config */
-    if (conf->enable)
-    {
-        if (conf->sct.len == 0)
-        {
-            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                "no \"ssl_ct_static_scts\" is defined for the \"ssl_ct\""
-                "directive");
-            return NGX_CONF_ERROR;
-        }
-    }
-    else
-    {
-        return NGX_CONF_OK;
-    }
-
-    /* get ngx_mail_ssl_module configuration and check if SSL is enabled */
     ngx_mail_ssl_conf_t *ssl_conf = ngx_mail_conf_get_module_srv_conf(cf,
         ngx_mail_ssl_module);
 
-    if (!ssl_conf->ssl.ctx)
-    {
-        ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-            "\"ssl_ct\" can only be enabled if ssl is enabled");
-        return NGX_CONF_ERROR;
-    }
+    ngx_array_t *certificates;
 
-    /* read .sct files */
-    ngx_ssl_ct_ext *sct_list = ngx_ssl_ct_read_static_scts(cf, &conf->sct);
-    if (!sct_list)
-    {
-        /* ngx_ssl_ct_read_static_scts calls ngx_log_error */
-        return NGX_CONF_ERROR;
-    }
-
-    /* add OpenSSL TLS extension */
-#ifndef OPENSSL_IS_BORINGSSL
-    if (SSL_CTX_add_server_custom_ext(ssl_conf->ssl.ctx, NGX_SSL_CT_EXT,
-        &ngx_ssl_ct_ext_cb, NULL, sct_list, NULL, NULL) == 0)
-    {
-        ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-            "SSL_CTX_add_server_custom_ext failed");
-        ngx_pfree(cf->pool, sct_list);
-        return NGX_CONF_ERROR;
-    }
+#if nginx_version >= 1011000
+    certificates = ssl_conf->certificates;
 #else
-    if (SSL_CTX_set_signed_cert_timestamp_list(ssl_conf->ssl.ctx, sct_list->buf,
-        sct_list->len) == 0)
-    {
-        ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-            "SSL_CTX_set_signed_cert_timestamp_list failed");
-        ngx_pfree(cf->pool, sct_list);
-        return NGX_CONF_ERROR;
-    }
+    certificates = ngx_array_create(cf->pool, 1, sizeof(ngx_str_t));
+
+    ngx_str_t *certificate = ngx_array_push(certificates);
+    *certificate = ssl_conf->certificate;
 #endif
 
-    return NGX_CONF_OK;
+    return ngx_ssl_ct_merge_srv_conf(cf, parent, child, ssl_conf->ssl.ctx,
+        certificates);
 }