nghttpx: Enable neverbleed for client private key; don't run nb without TLS

This commit is contained in:
Tatsuhiro Tsujikawa 2015-09-26 21:28:16 +09:00
parent 8dd5f7585e
commit 566b0476d7
4 changed files with 69 additions and 17 deletions

View File

@ -165,7 +165,11 @@ int ConnectionHandler::create_single_worker() {
nb_.get() nb_.get()
#endif // HAVE_NEVERBLEED #endif // HAVE_NEVERBLEED
); );
auto cl_ssl_ctx = ssl::setup_client_ssl_context(); auto cl_ssl_ctx = ssl::setup_client_ssl_context(
#ifdef HAVE_NEVERBLEED
nb_.get()
#endif // HAVE_NEVERBLEED
);
if (cl_ssl_ctx) { if (cl_ssl_ctx) {
all_ssl_ctx_.push_back(cl_ssl_ctx); all_ssl_ctx_.push_back(cl_ssl_ctx);
@ -193,7 +197,11 @@ int ConnectionHandler::create_worker_thread(size_t num) {
nb_.get() nb_.get()
#endif // HAVE_NEVERBLEED #endif // HAVE_NEVERBLEED
); );
auto cl_ssl_ctx = ssl::setup_client_ssl_context(); auto cl_ssl_ctx = ssl::setup_client_ssl_context(
#ifdef HAVE_NEVERBLEED
nb_.get()
#endif // HAVE_NEVERBLEED
);
if (cl_ssl_ctx) { if (cl_ssl_ctx) {
all_ssl_ctx_.push_back(cl_ssl_ctx); all_ssl_ctx_.push_back(cl_ssl_ctx);

View File

@ -635,7 +635,11 @@ int select_next_proto_cb(SSL *ssl, unsigned char **out, unsigned char *outlen,
} }
} // namespace } // namespace
SSL_CTX *create_ssl_client_context() { SSL_CTX *create_ssl_client_context(
#ifdef HAVE_NEVERBLEED
neverbleed_t *nb
#endif // HAVE_NEVERBLEED
) {
auto ssl_ctx = SSL_CTX_new(SSLv23_client_method()); auto ssl_ctx = SSL_CTX_new(SSLv23_client_method());
if (!ssl_ctx) { if (!ssl_ctx) {
LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr); LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr);
@ -681,6 +685,7 @@ SSL_CTX *create_ssl_client_context() {
} }
if (get_config()->client_private_key_file) { if (get_config()->client_private_key_file) {
#ifndef HAVE_NEVERBLEED
if (SSL_CTX_use_PrivateKey_file(ssl_ctx, if (SSL_CTX_use_PrivateKey_file(ssl_ctx,
get_config()->client_private_key_file.get(), get_config()->client_private_key_file.get(),
SSL_FILETYPE_PEM) != 1) { SSL_FILETYPE_PEM) != 1) {
@ -689,6 +694,16 @@ SSL_CTX *create_ssl_client_context() {
<< ERR_error_string(ERR_get_error(), nullptr); << ERR_error_string(ERR_get_error(), nullptr);
DIE(); DIE();
} }
#else // HAVE_NEVERBLEED
std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf;
if (neverbleed_load_private_key_file(
nb, ssl_ctx, get_config()->client_private_key_file.get(),
errbuf.data()) != 1) {
LOG(FATAL) << "neverbleed_load_private_key_file failed: "
<< errbuf.data();
DIE();
}
#endif // HAVE_NEVERBLEED
} }
if (get_config()->client_cert_file) { if (get_config()->client_cert_file) {
if (SSL_CTX_use_certificate_chain_file( if (SSL_CTX_use_certificate_chain_file(
@ -1165,15 +1180,28 @@ SSL_CTX *setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
return ssl_ctx; return ssl_ctx;
} }
SSL_CTX *setup_client_ssl_context() { bool downstream_tls_enabled() {
if (get_config()->client_mode) { if (get_config()->client_mode) {
return get_config()->downstream_no_tls ? nullptr return !get_config()->downstream_no_tls;
: ssl::create_ssl_client_context();
} }
return get_config()->http2_bridge && !get_config()->downstream_no_tls return get_config()->http2_bridge && !get_config()->downstream_no_tls;
? ssl::create_ssl_client_context() }
: nullptr;
SSL_CTX *setup_client_ssl_context(
#ifdef HAVE_NEVERBLEED
neverbleed_t *nb
#endif // HAVE_NEVERBLEED
) {
if (!downstream_tls_enabled()) {
return nullptr;
}
return ssl::create_ssl_client_context(
#ifdef HAVE_NEVERBLEED
nb
#endif // HAVE_NEVERBLEED
);
} }
CertLookupTree *create_cert_lookup_tree() { CertLookupTree *create_cert_lookup_tree() {

View File

@ -69,7 +69,11 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file
); );
// Create client side SSL_CTX // Create client side SSL_CTX
SSL_CTX *create_ssl_client_context(); SSL_CTX *create_ssl_client_context(
#ifdef HAVE_NEVERBLEED
neverbleed_t *nb
#endif // HAVE_NEVERBLEED
);
ClientHandler *accept_connection(Worker *worker, int fd, sockaddr *addr, ClientHandler *accept_connection(Worker *worker, int fd, sockaddr *addr,
int addrlen); int addrlen);
@ -179,7 +183,11 @@ SSL_CTX *setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
// Setups client side SSL_CTX. This function inspects get_config() // Setups client side SSL_CTX. This function inspects get_config()
// and if downstream_no_tls is true, returns nullptr. Otherwise, only // and if downstream_no_tls is true, returns nullptr. Otherwise, only
// construct SSL_CTX if either client_mode or http2_bridge is true. // construct SSL_CTX if either client_mode or http2_bridge is true.
SSL_CTX *setup_client_ssl_context(); SSL_CTX *setup_client_ssl_context(
#ifdef HAVE_NEVERBLEED
neverbleed_t *nb
#endif // HAVE_NEVERBLEED
);
// Creates CertLookupTree. If frontend is configured not to use TLS, // Creates CertLookupTree. If frontend is configured not to use TLS,
// this function returns nullptr. // this function returns nullptr.
@ -187,6 +195,9 @@ CertLookupTree *create_cert_lookup_tree();
SSL *create_ssl(SSL_CTX *ssl_ctx); SSL *create_ssl(SSL_CTX *ssl_ctx);
// Returns true if SSL/TLS is enabled on downstream
bool downstream_tls_enabled();
} // namespace ssl } // namespace ssl
} // namespace shrpx } // namespace shrpx

View File

@ -48,6 +48,7 @@
#include "shrpx_memcached_dispatcher.h" #include "shrpx_memcached_dispatcher.h"
#include "shrpx_memcached_request.h" #include "shrpx_memcached_request.h"
#include "shrpx_process.h" #include "shrpx_process.h"
#include "shrpx_ssl.h"
#include "util.h" #include "util.h"
#include "app_helper.h" #include "app_helper.h"
#include "template.h" #include "template.h"
@ -84,7 +85,9 @@ void drop_privileges(
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
#ifdef HAVE_NEVERBLEED #ifdef HAVE_NEVERBLEED
if (nb) {
neverbleed_setuidgid(nb, get_config()->user.get(), 1); neverbleed_setuidgid(nb, get_config()->user.get(), 1);
}
#endif // HAVE_NEVERBLEED #endif // HAVE_NEVERBLEED
} }
} }
@ -400,8 +403,8 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) {
} }
#ifdef HAVE_NEVERBLEED #ifdef HAVE_NEVERBLEED
if (!get_config()->upstream_no_tls || ssl::downstream_tls_enabled()) {
std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf; std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf;
{
auto nb = make_unique<neverbleed_t>(); auto nb = make_unique<neverbleed_t>();
if (neverbleed_init(nb.get(), errbuf.data()) != 0) { if (neverbleed_init(nb.get(), errbuf.data()) != 0) {
LOG(FATAL) << "neverbleed_init failed: " << errbuf.data(); LOG(FATAL) << "neverbleed_init failed: " << errbuf.data();
@ -416,9 +419,11 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) {
auto nb = conn_handler.get_neverbleed(); auto nb = conn_handler.get_neverbleed();
ev_child nb_childev; ev_child nb_childev;
if (nb) {
ev_child_init(&nb_childev, nb_child_cb, nb->daemon_pid, 0); ev_child_init(&nb_childev, nb_child_cb, nb->daemon_pid, 0);
nb_childev.data = nullptr; nb_childev.data = nullptr;
ev_child_start(loop, &nb_childev); ev_child_start(loop, &nb_childev);
}
#endif // HAVE_NEVERBLEED #endif // HAVE_NEVERBLEED