diff options
| author | sftcd <stephen.farrell@cs.tcd.ie> | 2025-11-26 14:12:07 +0000 |
|---|---|---|
| committer | Roman Arutyunyan <arutyunyan.roman@gmail.com> | 2025-12-01 16:33:40 +0400 |
| commit | ab4f5b2d32c1f621ebdf5816a34b568015b98c63 (patch) | |
| tree | a2468ce46360587635183191db34da55126ae55d /src/stream | |
| parent | bcb41c91939009b7d01074c9a8f3cef1da13ec50 (diff) | |
| download | nginx-ab4f5b2d32c1f621ebdf5816a34b568015b98c63.tar.gz nginx-ab4f5b2d32c1f621ebdf5816a34b568015b98c63.tar.bz2 | |
Add basic ECH shared-mode via OpenSSL.
Diffstat (limited to 'src/stream')
| -rw-r--r-- | src/stream/ngx_stream_ssl_module.c | 21 | ||||
| -rw-r--r-- | src/stream/ngx_stream_ssl_module.h | 1 |
2 files changed, 22 insertions, 0 deletions
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c index 6a5160f27..b7e5db449 100644 --- a/src/stream/ngx_stream_ssl_module.c +++ b/src/stream/ngx_stream_ssl_module.c @@ -126,6 +126,13 @@ static ngx_command_t ngx_stream_ssl_commands[] = { 0, NULL }, + { ngx_string("ssl_ech_file"), + NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_array_slot, + NGX_STREAM_SRV_CONF_OFFSET, + offsetof(ngx_stream_ssl_srv_conf_t, ech_files), + NULL }, + { ngx_string("ssl_password_file"), NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, ngx_stream_ssl_password_file, @@ -372,6 +379,13 @@ static ngx_stream_variable_t ngx_stream_ssl_vars[] = { { ngx_string("ssl_alpn_protocol"), NULL, ngx_stream_ssl_variable, (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_ech_status"), NULL, ngx_stream_ssl_variable, + (uintptr_t) ngx_ssl_get_ech_status, NGX_STREAM_VAR_CHANGEABLE, 0 }, + + { ngx_string("ssl_ech_outer_server_name"), NULL, ngx_stream_ssl_variable, + (uintptr_t) ngx_ssl_get_ech_outer_server_name, + NGX_STREAM_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable, (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 }, @@ -888,6 +902,7 @@ ngx_stream_ssl_create_srv_conf(ngx_conf_t *cf) sscf->certificates = NGX_CONF_UNSET_PTR; sscf->certificate_keys = NGX_CONF_UNSET_PTR; sscf->certificate_cache = NGX_CONF_UNSET_PTR; + sscf->ech_files = NGX_CONF_UNSET_PTR; sscf->passwords = NGX_CONF_UNSET_PTR; sscf->conf_commands = NGX_CONF_UNSET_PTR; sscf->prefer_server_ciphers = NGX_CONF_UNSET; @@ -943,6 +958,8 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_ptr_value(conf->certificate_cache, prev->certificate_cache, NULL); + ngx_conf_merge_ptr_value(conf->ech_files, prev->ech_files, NULL); + ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); @@ -1124,6 +1141,10 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) return NGX_CONF_ERROR; } + if (ngx_ssl_ech_files(cf, &conf->ssl, conf->ech_files) != NGX_OK) { + return NGX_CONF_ERROR; + } + if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) { return NGX_CONF_ERROR; } diff --git a/src/stream/ngx_stream_ssl_module.h b/src/stream/ngx_stream_ssl_module.h index 31f138cfd..6fdd8f88c 100644 --- a/src/stream/ngx_stream_ssl_module.h +++ b/src/stream/ngx_stream_ssl_module.h @@ -49,6 +49,7 @@ typedef struct { ngx_str_t ciphers; + ngx_array_t *ech_files; ngx_array_t *passwords; ngx_array_t *conf_commands; |