summaryrefslogblamecommitdiffhomepage
path: root/src/nxt_tls.h
blob: eeb4e7ba10c3cb2cc6cd4046f010edc477cd951e (plain) (tree)
1
2
3
4
5
6
7
8
9
10





                            

                            

 


                     











                                                                           
                                      

 

                                                            
                                                     

                                                        

                

                                                                    
 

                                                                                
                                                       


                                                                  
 
 







                                          
                                       

                                             
                                       








                                              

                                           
                                                                
                                                                           
 
                                       
 




                                                  

                                                                


  



                                             
                                                




                                        













                                               
                      




                                                                        

                                                                            


                     
                                                 


                     
                                                 


                       
                                                


      
                                 

/*
 * Copyright (C) Igor Sysoev
 * Copyright (C) NGINX, Inc.
 */

#ifndef _NXT_TLS_H_INCLUDED_
#define _NXT_TLS_H_INCLUDED_


#include <nxt_conf.h>


/*
 * The SSL/TLS libraries lack vector I/O interface yet add noticeable
 * overhead to each SSL/TLS record so buffering allows to decrease the
 * overhead.  The typical overhead size is about 30 bytes, however, TLS
 * supports also random padding up to 255 bytes.  The maximum SSLv3/TLS
 * record size is 16K.  However, large records increase decryption latency.
 * 4K is good compromise between 1-6% of SSL/TLS overhead and the latency.
 * 4K buffer allows to send one SSL/TLS record (4096-bytes data and up to
 * 224-bytes overhead) in three 1440-bytes TCP/IPv4 packets with timestamps
 * and compatible with tunnels.
 */

#define NXT_TLS_BUFFER_SIZE       4096


typedef struct nxt_tls_conf_s         nxt_tls_conf_t;
typedef struct nxt_tls_bundle_conf_s  nxt_tls_bundle_conf_t;
typedef struct nxt_tls_init_s         nxt_tls_init_t;
typedef struct nxt_tls_ticket_s       nxt_tls_ticket_t;
typedef struct nxt_tls_tickets_s      nxt_tls_tickets_t;

typedef struct {
    nxt_int_t                     (*library_init)(nxt_task_t *task);
    void                          (*library_free)(nxt_task_t *task);

    nxt_int_t                     (*server_init)(nxt_task_t *task, nxt_mp_t *mp,
                                      nxt_tls_init_t *tls_init,
                                      nxt_bool_t last);
    void                          (*server_free)(nxt_task_t *task,
                                      nxt_tls_conf_t *conf);
} nxt_tls_lib_t;


typedef struct {
    nxt_tls_bundle_conf_t         *bundle;

    nxt_str_t                     name;
} nxt_tls_bundle_hash_item_t;


struct nxt_tls_bundle_conf_s {
    void                          *ctx;

    nxt_fd_t                      chain_file;
    nxt_str_t                     name;

    nxt_tls_bundle_conf_t         *next;
};


struct nxt_tls_conf_s {
    nxt_tls_bundle_conf_t         *bundle;
    nxt_lvlhsh_t                  bundle_hash;

    nxt_tls_tickets_t             *tickets;

    void                          (*conn_init)(nxt_task_t *task,
                                      nxt_tls_conf_t *conf, nxt_conn_t *c);

    const nxt_tls_lib_t           *lib;

    char                          *ciphers;

    char                          *ca_certificate;

    size_t                        buffer_size;

    uint8_t                       no_wait_shutdown;  /* 1 bit */
};


struct nxt_tls_init_s {
    size_t                        cache_size;
    nxt_time_t                    timeout;
    nxt_conf_value_t              *conf_cmds;
    nxt_conf_value_t              *tickets_conf;

    nxt_tls_conf_t                *conf;
};


struct nxt_tls_ticket_s {
    uint8_t                       aes128;
    u_char                        name[16];
    u_char                        hmac_key[32];
    u_char                        aes_key[32];
};


struct nxt_tls_tickets_s {
    nxt_uint_t                    count;
    nxt_tls_ticket_t              tickets[];
};


#if (NXT_HAVE_OPENSSL)
extern const nxt_tls_lib_t        nxt_openssl_lib;

void nxt_cdecl nxt_openssl_log_error(nxt_task_t *task, nxt_uint_t level,
    const char *fmt, ...);
u_char *nxt_openssl_copy_error(u_char *p, u_char *end);
nxt_int_t nxt_openssl_base64_decode(u_char *d, size_t dlen, const u_char *s,
    size_t slen);
#endif

#if (NXT_HAVE_GNUTLS)
extern const nxt_tls_lib_t        nxt_gnutls_lib;
#endif

#if (NXT_HAVE_CYASSL)
extern const nxt_tls_lib_t        nxt_cyassl_lib;
#endif

#if (NXT_HAVE_POLARSSL)
extern const nxt_tls_lib_t        nxt_polar_lib;
#endif


#endif /* _NXT_TLS_H_INCLUDED_ */