[PATCH 1 of 6] SSL: define NGX_SSL_VERIFY constants

Piotr Sikora piotrsikora at google.com
Thu Aug 18 00:29:22 UTC 2016


# HG changeset patch
# User Piotr Sikora <piotrsikora at google.com>
# Date 1471428975 25200
#      Wed Aug 17 03:16:15 2016 -0700
# Node ID 653b04653271346c63ab5f3daced807228eed5ac
# Parent  c131f20c9562387f94a268440594c288725d3ba8
SSL: define NGX_SSL_VERIFY constants.

No binary changes.

Signed-off-by: Piotr Sikora <piotrsikora at google.com>

diff -r c131f20c9562 -r 653b04653271 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -125,17 +125,21 @@ typedef struct {
 #endif
 
 
-#define NGX_SSL_SSLv2    0x0002
-#define NGX_SSL_SSLv3    0x0004
-#define NGX_SSL_TLSv1    0x0008
-#define NGX_SSL_TLSv1_1  0x0010
-#define NGX_SSL_TLSv1_2  0x0020
+#define NGX_SSL_SSLv2                   0x0002
+#define NGX_SSL_SSLv3                   0x0004
+#define NGX_SSL_TLSv1                   0x0008
+#define NGX_SSL_TLSv1_1                 0x0010
+#define NGX_SSL_TLSv1_2                 0x0020
 
+#define NGX_SSL_VERIFY_OFF              0
+#define NGX_SSL_VERIFY_REQUIRED         1
+#define NGX_SSL_VERIFY_OPTIONAL         2
+#define NGX_SSL_VERIFY_OPTIONAL_NO_CA   3
 
-#define NGX_SSL_BUFFER   1
-#define NGX_SSL_CLIENT   2
+#define NGX_SSL_BUFFER                  1
+#define NGX_SSL_CLIENT                  2
 
-#define NGX_SSL_BUFSIZE  16384
+#define NGX_SSL_BUFSIZE                 16384
 
 
 ngx_int_t ngx_ssl_init(ngx_log_t *log);
diff -r c131f20c9562 -r 653b04653271 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -62,10 +62,10 @@ static ngx_conf_bitmask_t  ngx_http_ssl_
 
 
 static ngx_conf_enum_t  ngx_http_ssl_verify[] = {
-    { ngx_string("off"), 0 },
-    { ngx_string("on"), 1 },
-    { ngx_string("optional"), 2 },
-    { ngx_string("optional_no_ca"), 3 },
+    { ngx_string("off"), NGX_SSL_VERIFY_OFF },
+    { ngx_string("on"), NGX_SSL_VERIFY_REQUIRED },
+    { ngx_string("optional"), NGX_SSL_VERIFY_OPTIONAL },
+    { ngx_string("optional_no_ca"), NGX_SSL_VERIFY_OPTIONAL_NO_CA },
     { ngx_null_string, 0 }
 };
 
@@ -570,7 +570,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
     ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
                          NGX_SSL_BUFSIZE);
 
-    ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
+    ngx_conf_merge_uint_value(conf->verify, prev->verify, NGX_SSL_VERIFY_OFF);
     ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
 
     ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
@@ -700,7 +700,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
 
     if (conf->verify) {
 
-        if (conf->client_certificate.len == 0 && conf->verify != 3) {
+        if (conf->client_certificate.len == 0
+            && conf->verify != NGX_SSL_VERIFY_OPTIONAL_NO_CA)
+        {
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                           "no ssl_client_certificate for ssl_client_verify");
             return NGX_CONF_ERROR;
diff -r c131f20c9562 -r 653b04653271 src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1862,7 +1862,8 @@ ngx_http_process_request(ngx_http_reques
             rc = SSL_get_verify_result(c->ssl->connection);
 
             if (rc != X509_V_OK
-                && (sscf->verify != 3 || !ngx_ssl_verify_error_optional(rc)))
+                && (sscf->verify != NGX_SSL_VERIFY_OPTIONAL_NO_CA
+                    || !ngx_ssl_verify_error_optional(rc)))
             {
                 ngx_log_error(NGX_LOG_INFO, c->log, 0,
                               "client SSL certificate verify error: (%l:%s)",
@@ -1875,7 +1876,7 @@ ngx_http_process_request(ngx_http_reques
                 return;
             }
 
-            if (sscf->verify == 1) {
+            if (sscf->verify == NGX_SSL_VERIFY_REQUIRED) {
                 cert = SSL_get_peer_certificate(c->ssl->connection);
 
                 if (cert == NULL) {
diff -r c131f20c9562 -r 653b04653271 src/mail/ngx_mail_handler.c
--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
@@ -296,7 +296,8 @@ ngx_mail_verify_cert(ngx_mail_session_t 
     rc = SSL_get_verify_result(c->ssl->connection);
 
     if (rc != X509_V_OK
-        && (sslcf->verify != 3 || !ngx_ssl_verify_error_optional(rc)))
+        && (sslcf->verify != NGX_SSL_VERIFY_OPTIONAL_NO_CA
+            || !ngx_ssl_verify_error_optional(rc)))
     {
         ngx_log_error(NGX_LOG_INFO, c->log, 0,
                       "client SSL certificate verify error: (%l:%s)",
@@ -316,7 +317,7 @@ ngx_mail_verify_cert(ngx_mail_session_t 
         return NGX_ERROR;
     }
 
-    if (sslcf->verify == 1) {
+    if (sslcf->verify == NGX_SSL_VERIFY_REQUIRED) {
         cert = SSL_get_peer_certificate(c->ssl->connection);
 
         if (cert == NULL) {
diff -r c131f20c9562 -r 653b04653271 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -47,10 +47,10 @@ static ngx_conf_bitmask_t  ngx_mail_ssl_
 
 
 static ngx_conf_enum_t  ngx_mail_ssl_verify[] = {
-    { ngx_string("off"), 0 },
-    { ngx_string("on"), 1 },
-    { ngx_string("optional"), 2 },
-    { ngx_string("optional_no_ca"), 3 },
+    { ngx_string("off"), NGX_SSL_VERIFY_OFF },
+    { ngx_string("on"), NGX_SSL_VERIFY_REQUIRED },
+    { ngx_string("optional"), NGX_SSL_VERIFY_OPTIONAL },
+    { ngx_string("optional_no_ca"), NGX_SSL_VERIFY_OPTIONAL_NO_CA },
     { ngx_null_string, 0 }
 };
 
@@ -287,7 +287,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, 
                          (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
                           |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
 
-    ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
+    ngx_conf_merge_uint_value(conf->verify, prev->verify, NGX_SSL_VERIFY_OFF);
     ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
 
     ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
@@ -395,7 +395,9 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, 
 
     if (conf->verify) {
 
-        if (conf->client_certificate.len == 0 && conf->verify != 3) {
+        if (conf->client_certificate.len == 0
+            && conf->verify != NGX_SSL_VERIFY_OPTIONAL_NO_CA)
+        {
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                           "no ssl_client_certificate for ssl_client_verify");
             return NGX_CONF_ERROR;



More information about the nginx-devel mailing list