ngx_event_openssl.h revision e18a033b
1
2/*
3 * Copyright (C) Igor Sysoev
4 * Copyright (C) Nginx, Inc.
5 */
6
7
8#ifndef _NGX_EVENT_OPENSSL_H_INCLUDED_
9#define _NGX_EVENT_OPENSSL_H_INCLUDED_
10
11
12#include <ngx_config.h>
13#include <ngx_core.h>
14
15#include <openssl/ssl.h>
16#include <openssl/err.h>
17#include <openssl/bn.h>
18#include <openssl/conf.h>
19#include <openssl/crypto.h>
20#include <openssl/dh.h>
21#ifndef OPENSSL_NO_ENGINE
22#include <openssl/engine.h>
23#endif
24#include <openssl/evp.h>
25#ifndef OPENSSL_NO_OCSP
26#include <openssl/ocsp.h>
27#endif
28#include <openssl/rand.h>
29#include <openssl/rsa.h>
30#include <openssl/x509.h>
31#include <openssl/x509v3.h>
32
33#define NGX_SSL_NAME     "OpenSSL"
34
35
36#if (defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER == 0x20000000L)
37#undef OPENSSL_VERSION_NUMBER
38#define OPENSSL_VERSION_NUMBER  0x1000107fL
39#endif
40
41
42#if (OPENSSL_VERSION_NUMBER >= 0x10100001L)
43
44#define ngx_ssl_version()       OpenSSL_version(OPENSSL_VERSION)
45
46#else
47
48#define ngx_ssl_version()       SSLeay_version(SSLEAY_VERSION)
49
50#endif
51
52
53#define ngx_ssl_session_t       SSL_SESSION
54#define ngx_ssl_conn_t          SSL
55
56
57struct ngx_ssl_s {
58    SSL_CTX                    *ctx;
59    ngx_log_t                  *log;
60    size_t                      buffer_size;
61};
62
63
64struct ngx_ssl_connection_s {
65    ngx_ssl_conn_t             *connection;
66    SSL_CTX                    *session_ctx;
67
68    ngx_int_t                   last;
69    ngx_buf_t                  *buf;
70    size_t                      buffer_size;
71
72    ngx_connection_handler_pt   handler;
73
74    ngx_event_handler_pt        saved_read_handler;
75    ngx_event_handler_pt        saved_write_handler;
76
77    unsigned                    handshaked:1;
78    unsigned                    renegotiation:1;
79    unsigned                    buffer:1;
80    unsigned                    no_wait_shutdown:1;
81    unsigned                    no_send_shutdown:1;
82    unsigned                    handshake_buffer_set:1;
83};
84
85
86#define NGX_SSL_NO_SCACHE            -2
87#define NGX_SSL_NONE_SCACHE          -3
88#define NGX_SSL_NO_BUILTIN_SCACHE    -4
89#define NGX_SSL_DFLT_BUILTIN_SCACHE  -5
90
91
92#define NGX_SSL_MAX_SESSION_SIZE  4096
93
94typedef struct ngx_ssl_sess_id_s  ngx_ssl_sess_id_t;
95
96struct ngx_ssl_sess_id_s {
97    ngx_rbtree_node_t           node;
98    u_char                     *id;
99    size_t                      len;
100    u_char                     *session;
101    ngx_queue_t                 queue;
102    time_t                      expire;
103#if (NGX_PTR_SIZE == 8)
104    void                       *stub;
105    u_char                      sess_id[32];
106#endif
107};
108
109
110typedef struct {
111    ngx_rbtree_t                session_rbtree;
112    ngx_rbtree_node_t           sentinel;
113    ngx_queue_t                 expire_queue;
114} ngx_ssl_session_cache_t;
115
116
117#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
118
119typedef struct {
120    size_t                      size;
121    u_char                      name[16];
122    u_char                      hmac_key[32];
123    u_char                      aes_key[32];
124} ngx_ssl_session_ticket_key_t;
125
126#endif
127
128
129#define NGX_SSL_SSLv2    0x0002
130#define NGX_SSL_SSLv3    0x0004
131#define NGX_SSL_TLSv1    0x0008
132#define NGX_SSL_TLSv1_1  0x0010
133#define NGX_SSL_TLSv1_2  0x0020
134
135
136#define NGX_SSL_BUFFER   1
137#define NGX_SSL_CLIENT   2
138
139#define NGX_SSL_BUFSIZE  16384
140
141
142ngx_int_t ngx_ssl_init(ngx_log_t *log);
143ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
144ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl,
145    ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords);
146ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
147    ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
148ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
149    ngx_uint_t prefer_server_ciphers);
150ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
151    ngx_str_t *cert, ngx_int_t depth);
152ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
153    ngx_str_t *cert, ngx_int_t depth);
154ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
155ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl,
156    ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
157ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
158    ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
159RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
160    int key_length);
161ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
162ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
163ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
164ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
165    ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
166ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
167    ngx_array_t *paths);
168ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
169ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
170    ngx_uint_t flags);
171
172void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess);
173ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session);
174#define ngx_ssl_get_session(c)      SSL_get1_session(c->ssl->connection)
175#define ngx_ssl_free_session        SSL_SESSION_free
176#define ngx_ssl_get_connection(ssl_conn)                                      \
177    SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index)
178#define ngx_ssl_get_server_conf(ssl_ctx)                                      \
179    SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index)
180
181#define ngx_ssl_verify_error_optional(n)                                      \
182    (n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT                              \
183     || n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN                             \
184     || n == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY                     \
185     || n == X509_V_ERR_CERT_UNTRUSTED                                        \
186     || n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)
187
188ngx_int_t ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name);
189
190
191ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool,
192    ngx_str_t *s);
193ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool,
194    ngx_str_t *s);
195ngx_int_t ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool,
196    ngx_str_t *s);
197ngx_int_t ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool,
198    ngx_str_t *s);
199ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
200    ngx_str_t *s);
201ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool,
202    ngx_str_t *s);
203ngx_int_t ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool,
204    ngx_str_t *s);
205ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool,
206    ngx_str_t *s);
207ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool,
208    ngx_str_t *s);
209ngx_int_t ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool,
210    ngx_str_t *s);
211ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool,
212    ngx_str_t *s);
213ngx_int_t ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
214    ngx_str_t *s);
215ngx_int_t ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
216    ngx_str_t *s);
217ngx_int_t ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool,
218    ngx_str_t *s);
219ngx_int_t ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool,
220    ngx_str_t *s);
221ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool,
222    ngx_str_t *s);
223ngx_int_t ngx_ssl_get_client_v_start(ngx_connection_t *c, ngx_pool_t *pool,
224    ngx_str_t *s);
225ngx_int_t ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool,
226    ngx_str_t *s);
227ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,
228    ngx_str_t *s);
229
230
231ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
232ssize_t ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size);
233ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size);
234ssize_t ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit);
235ngx_chain_t *ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in,
236    off_t limit);
237void ngx_ssl_free_buffer(ngx_connection_t *c);
238ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c);
239void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err,
240    char *fmt, ...);
241void ngx_ssl_cleanup_ctx(void *data);
242
243
244extern int  ngx_ssl_connection_index;
245extern int  ngx_ssl_server_conf_index;
246extern int  ngx_ssl_session_cache_index;
247extern int  ngx_ssl_session_ticket_keys_index;
248extern int  ngx_ssl_certificate_index;
249extern int  ngx_ssl_next_certificate_index;
250extern int  ngx_ssl_certificate_name_index;
251extern int  ngx_ssl_stapling_index;
252
253
254#endif /* _NGX_EVENT_OPENSSL_H_INCLUDED_ */
255