xref: /unit/src/nxt_tls.h (revision 1975:6a47cab8f271)
1 
2 /*
3  * Copyright (C) Igor Sysoev
4  * Copyright (C) NGINX, Inc.
5  */
6 
7 #ifndef _NXT_TLS_H_INCLUDED_
8 #define _NXT_TLS_H_INCLUDED_
9 
10 
11 #include <nxt_conf.h>
12 
13 
14 /*
15  * The SSL/TLS libraries lack vector I/O interface yet add noticeable
16  * overhead to each SSL/TLS record so buffering allows to decrease the
17  * overhead.  The typical overhead size is about 30 bytes, however, TLS
18  * supports also random padding up to 255 bytes.  The maximum SSLv3/TLS
19  * record size is 16K.  However, large records increase decryption latency.
20  * 4K is good compromise between 1-6% of SSL/TLS overhead and the latency.
21  * 4K buffer allows to send one SSL/TLS record (4096-bytes data and up to
22  * 224-bytes overhead) in three 1440-bytes TCP/IPv4 packets with timestamps
23  * and compatible with tunnels.
24  */
25 
26 #define NXT_TLS_BUFFER_SIZE       4096
27 
28 
29 typedef struct nxt_tls_conf_s         nxt_tls_conf_t;
30 typedef struct nxt_tls_bundle_conf_s  nxt_tls_bundle_conf_t;
31 typedef struct nxt_tls_init_s         nxt_tls_init_t;
32 typedef struct nxt_tls_ticket_s       nxt_tls_ticket_t;
33 typedef struct nxt_tls_tickets_s      nxt_tls_tickets_t;
34 
35 typedef struct {
36     nxt_int_t                     (*library_init)(nxt_task_t *task);
37     void                          (*library_free)(nxt_task_t *task);
38 
39     nxt_int_t                     (*server_init)(nxt_task_t *task, nxt_mp_t *mp,
40                                       nxt_tls_init_t *tls_init,
41                                       nxt_bool_t last);
42     void                          (*server_free)(nxt_task_t *task,
43                                       nxt_tls_conf_t *conf);
44 } nxt_tls_lib_t;
45 
46 
47 typedef struct {
48     nxt_tls_bundle_conf_t         *bundle;
49 
50     nxt_str_t                     name;
51 } nxt_tls_bundle_hash_item_t;
52 
53 
54 struct nxt_tls_bundle_conf_s {
55     void                          *ctx;
56 
57     nxt_fd_t                      chain_file;
58     nxt_str_t                     name;
59 
60     nxt_tls_bundle_conf_t         *next;
61 };
62 
63 
64 struct nxt_tls_conf_s {
65     nxt_tls_bundle_conf_t         *bundle;
66     nxt_lvlhsh_t                  bundle_hash;
67 
68     nxt_tls_tickets_t             *tickets;
69 
70     void                          (*conn_init)(nxt_task_t *task,
71                                       nxt_tls_conf_t *conf, nxt_conn_t *c);
72 
73     const nxt_tls_lib_t           *lib;
74 
75     char                          *ciphers;
76 
77     char                          *ca_certificate;
78 
79     size_t                        buffer_size;
80 
81     uint8_t                       no_wait_shutdown;  /* 1 bit */
82 };
83 
84 
85 struct nxt_tls_init_s {
86     size_t                        cache_size;
87     nxt_time_t                    timeout;
88     nxt_conf_value_t              *conf_cmds;
89     nxt_conf_value_t              *tickets_conf;
90 
91     nxt_tls_conf_t                *conf;
92 };
93 
94 
95 #if (NXT_HAVE_OPENSSL)
96 extern const nxt_tls_lib_t        nxt_openssl_lib;
97 
98 void nxt_cdecl nxt_openssl_log_error(nxt_task_t *task, nxt_uint_t level,
99     const char *fmt, ...);
100 u_char *nxt_openssl_copy_error(u_char *p, u_char *end);
101 #endif
102 
103 #if (NXT_HAVE_GNUTLS)
104 extern const nxt_tls_lib_t        nxt_gnutls_lib;
105 #endif
106 
107 #if (NXT_HAVE_CYASSL)
108 extern const nxt_tls_lib_t        nxt_cyassl_lib;
109 #endif
110 
111 #if (NXT_HAVE_POLARSSL)
112 extern const nxt_tls_lib_t        nxt_polar_lib;
113 #endif
114 
115 
116 #endif /* _NXT_TLS_H_INCLUDED_ */
117