xref: /unit/src/nxt_tls.h (revision 1975:6a47cab8f271)
1771Sigor@sysoev.ru 
2771Sigor@sysoev.ru /*
3771Sigor@sysoev.ru  * Copyright (C) Igor Sysoev
4771Sigor@sysoev.ru  * Copyright (C) NGINX, Inc.
5771Sigor@sysoev.ru  */
6771Sigor@sysoev.ru 
7771Sigor@sysoev.ru #ifndef _NXT_TLS_H_INCLUDED_
8771Sigor@sysoev.ru #define _NXT_TLS_H_INCLUDED_
9771Sigor@sysoev.ru 
10771Sigor@sysoev.ru 
111885Sa.suvorov@f5.com #include <nxt_conf.h>
121885Sa.suvorov@f5.com 
131885Sa.suvorov@f5.com 
14771Sigor@sysoev.ru /*
15771Sigor@sysoev.ru  * The SSL/TLS libraries lack vector I/O interface yet add noticeable
16771Sigor@sysoev.ru  * overhead to each SSL/TLS record so buffering allows to decrease the
17771Sigor@sysoev.ru  * overhead.  The typical overhead size is about 30 bytes, however, TLS
18771Sigor@sysoev.ru  * supports also random padding up to 255 bytes.  The maximum SSLv3/TLS
19771Sigor@sysoev.ru  * record size is 16K.  However, large records increase decryption latency.
20771Sigor@sysoev.ru  * 4K is good compromise between 1-6% of SSL/TLS overhead and the latency.
21771Sigor@sysoev.ru  * 4K buffer allows to send one SSL/TLS record (4096-bytes data and up to
22771Sigor@sysoev.ru  * 224-bytes overhead) in three 1440-bytes TCP/IPv4 packets with timestamps
23771Sigor@sysoev.ru  * and compatible with tunnels.
24771Sigor@sysoev.ru  */
25771Sigor@sysoev.ru 
26771Sigor@sysoev.ru #define NXT_TLS_BUFFER_SIZE       4096
27771Sigor@sysoev.ru 
28771Sigor@sysoev.ru 
291828Sa.suvorov@f5.com typedef struct nxt_tls_conf_s         nxt_tls_conf_t;
301828Sa.suvorov@f5.com typedef struct nxt_tls_bundle_conf_s  nxt_tls_bundle_conf_t;
311920Sa.suvorov@f5.com typedef struct nxt_tls_init_s         nxt_tls_init_t;
32*1942Sa.suvorov@f5.com typedef struct nxt_tls_ticket_s       nxt_tls_ticket_t;
33*1942Sa.suvorov@f5.com typedef struct nxt_tls_tickets_s      nxt_tls_tickets_t;
34771Sigor@sysoev.ru 
35771Sigor@sysoev.ru typedef struct {
36771Sigor@sysoev.ru     nxt_int_t                     (*library_init)(nxt_task_t *task);
37771Sigor@sysoev.ru     void                          (*library_free)(nxt_task_t *task);
38771Sigor@sysoev.ru 
391920Sa.suvorov@f5.com     nxt_int_t                     (*server_init)(nxt_task_t *task, nxt_mp_t *mp,
401920Sa.suvorov@f5.com                                       nxt_tls_init_t *tls_init,
411828Sa.suvorov@f5.com                                       nxt_bool_t last);
42771Sigor@sysoev.ru     void                          (*server_free)(nxt_task_t *task,
43771Sigor@sysoev.ru                                       nxt_tls_conf_t *conf);
44771Sigor@sysoev.ru } nxt_tls_lib_t;
45771Sigor@sysoev.ru 
46771Sigor@sysoev.ru 
471828Sa.suvorov@f5.com typedef struct {
481828Sa.suvorov@f5.com     nxt_tls_bundle_conf_t         *bundle;
491828Sa.suvorov@f5.com 
501828Sa.suvorov@f5.com     nxt_str_t                     name;
511828Sa.suvorov@f5.com } nxt_tls_bundle_hash_item_t;
521828Sa.suvorov@f5.com 
531828Sa.suvorov@f5.com 
541828Sa.suvorov@f5.com struct nxt_tls_bundle_conf_s {
551828Sa.suvorov@f5.com     void                          *ctx;
561828Sa.suvorov@f5.com 
571828Sa.suvorov@f5.com     nxt_fd_t                      chain_file;
581885Sa.suvorov@f5.com     nxt_str_t                     name;
591828Sa.suvorov@f5.com 
601828Sa.suvorov@f5.com     nxt_tls_bundle_conf_t         *next;
611828Sa.suvorov@f5.com };
621828Sa.suvorov@f5.com 
631828Sa.suvorov@f5.com 
64771Sigor@sysoev.ru struct nxt_tls_conf_s {
651828Sa.suvorov@f5.com     nxt_tls_bundle_conf_t         *bundle;
661828Sa.suvorov@f5.com     nxt_lvlhsh_t                  bundle_hash;
671828Sa.suvorov@f5.com 
68*1942Sa.suvorov@f5.com     nxt_tls_tickets_t             *tickets;
69*1942Sa.suvorov@f5.com 
70771Sigor@sysoev.ru     void                          (*conn_init)(nxt_task_t *task,
71771Sigor@sysoev.ru                                       nxt_tls_conf_t *conf, nxt_conn_t *c);
72771Sigor@sysoev.ru 
73771Sigor@sysoev.ru     const nxt_tls_lib_t           *lib;
74771Sigor@sysoev.ru 
75771Sigor@sysoev.ru     char                          *ciphers;
76771Sigor@sysoev.ru 
77771Sigor@sysoev.ru     char                          *ca_certificate;
78771Sigor@sysoev.ru 
79771Sigor@sysoev.ru     size_t                        buffer_size;
801884Sa.suvorov@f5.com 
811884Sa.suvorov@f5.com     uint8_t                       no_wait_shutdown;  /* 1 bit */
82771Sigor@sysoev.ru };
83771Sigor@sysoev.ru 
84771Sigor@sysoev.ru 
851920Sa.suvorov@f5.com struct nxt_tls_init_s {
861920Sa.suvorov@f5.com     size_t                        cache_size;
871920Sa.suvorov@f5.com     nxt_time_t                    timeout;
881920Sa.suvorov@f5.com     nxt_conf_value_t              *conf_cmds;
89*1942Sa.suvorov@f5.com     nxt_conf_value_t              *tickets_conf;
901920Sa.suvorov@f5.com 
911920Sa.suvorov@f5.com     nxt_tls_conf_t                *conf;
921920Sa.suvorov@f5.com };
931920Sa.suvorov@f5.com 
941920Sa.suvorov@f5.com 
95771Sigor@sysoev.ru #if (NXT_HAVE_OPENSSL)
96771Sigor@sysoev.ru extern const nxt_tls_lib_t        nxt_openssl_lib;
97771Sigor@sysoev.ru 
98771Sigor@sysoev.ru void nxt_cdecl nxt_openssl_log_error(nxt_task_t *task, nxt_uint_t level,
99771Sigor@sysoev.ru     const char *fmt, ...);
100771Sigor@sysoev.ru u_char *nxt_openssl_copy_error(u_char *p, u_char *end);
101771Sigor@sysoev.ru #endif
102771Sigor@sysoev.ru 
103771Sigor@sysoev.ru #if (NXT_HAVE_GNUTLS)
104771Sigor@sysoev.ru extern const nxt_tls_lib_t        nxt_gnutls_lib;
105771Sigor@sysoev.ru #endif
106771Sigor@sysoev.ru 
107771Sigor@sysoev.ru #if (NXT_HAVE_CYASSL)
108771Sigor@sysoev.ru extern const nxt_tls_lib_t        nxt_cyassl_lib;
109771Sigor@sysoev.ru #endif
110771Sigor@sysoev.ru 
111771Sigor@sysoev.ru #if (NXT_HAVE_POLARSSL)
112771Sigor@sysoev.ru extern const nxt_tls_lib_t        nxt_polar_lib;
113771Sigor@sysoev.ru #endif
114771Sigor@sysoev.ru 
115771Sigor@sysoev.ru 
116771Sigor@sysoev.ru #endif /* _NXT_TLS_H_INCLUDED_ */
117