1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
/*
* Copyright (C) Igor Sysoev
* Copyright (C) NGINX, Inc.
*/
#ifndef _NXT_TLS_H_INCLUDED_
#define _NXT_TLS_H_INCLUDED_
#include <nxt_conf.h>
/*
* The SSL/TLS libraries lack vector I/O interface yet add noticeable
* overhead to each SSL/TLS record so buffering allows to decrease the
* overhead. The typical overhead size is about 30 bytes, however, TLS
* supports also random padding up to 255 bytes. The maximum SSLv3/TLS
* record size is 16K. However, large records increase decryption latency.
* 4K is good compromise between 1-6% of SSL/TLS overhead and the latency.
* 4K buffer allows to send one SSL/TLS record (4096-bytes data and up to
* 224-bytes overhead) in three 1440-bytes TCP/IPv4 packets with timestamps
* and compatible with tunnels.
*/
#define NXT_TLS_BUFFER_SIZE 4096
typedef struct nxt_tls_conf_s nxt_tls_conf_t;
typedef struct nxt_tls_bundle_conf_s nxt_tls_bundle_conf_t;
typedef struct nxt_tls_init_s nxt_tls_init_t;
typedef struct nxt_tls_ticket_s nxt_tls_ticket_t;
typedef struct nxt_tls_tickets_s nxt_tls_tickets_t;
typedef struct {
nxt_int_t (*library_init)(nxt_task_t *task);
void (*library_free)(nxt_task_t *task);
nxt_int_t (*server_init)(nxt_task_t *task, nxt_mp_t *mp,
nxt_tls_init_t *tls_init,
nxt_bool_t last);
void (*server_free)(nxt_task_t *task,
nxt_tls_conf_t *conf);
} nxt_tls_lib_t;
typedef struct {
nxt_tls_bundle_conf_t *bundle;
nxt_str_t name;
} nxt_tls_bundle_hash_item_t;
struct nxt_tls_bundle_conf_s {
void *ctx;
nxt_fd_t chain_file;
nxt_str_t name;
nxt_tls_bundle_conf_t *next;
};
struct nxt_tls_conf_s {
nxt_tls_bundle_conf_t *bundle;
nxt_lvlhsh_t bundle_hash;
nxt_tls_tickets_t *tickets;
void (*conn_init)(nxt_task_t *task,
nxt_tls_conf_t *conf, nxt_conn_t *c);
const nxt_tls_lib_t *lib;
char *ciphers;
char *ca_certificate;
size_t buffer_size;
uint8_t no_wait_shutdown; /* 1 bit */
};
struct nxt_tls_init_s {
size_t cache_size;
nxt_time_t timeout;
nxt_conf_value_t *conf_cmds;
nxt_conf_value_t *tickets_conf;
nxt_tls_conf_t *conf;
};
struct nxt_tls_ticket_s {
uint8_t aes128;
u_char name[16];
u_char hmac_key[32];
u_char aes_key[32];
};
struct nxt_tls_tickets_s {
nxt_uint_t count;
nxt_tls_ticket_t tickets[];
};
#if (NXT_HAVE_OPENSSL)
extern const nxt_tls_lib_t nxt_openssl_lib;
void nxt_cdecl nxt_openssl_log_error(nxt_task_t *task, nxt_uint_t level,
const char *fmt, ...);
u_char *nxt_openssl_copy_error(u_char *p, u_char *end);
nxt_int_t nxt_openssl_base64_decode(u_char *d, size_t dlen, const u_char *s,
size_t slen);
#endif
#if (NXT_HAVE_GNUTLS)
extern const nxt_tls_lib_t nxt_gnutls_lib;
#endif
#if (NXT_HAVE_CYASSL)
extern const nxt_tls_lib_t nxt_cyassl_lib;
#endif
#if (NXT_HAVE_POLARSSL)
extern const nxt_tls_lib_t nxt_polar_lib;
#endif
#endif /* _NXT_TLS_H_INCLUDED_ */
|
