1771Sigor@sysoev.ru 2771Sigor@sysoev.ru /* 3771Sigor@sysoev.ru * Copyright (C) Igor Sysoev 4771Sigor@sysoev.ru * Copyright (C) NGINX, Inc. 5771Sigor@sysoev.ru */ 6771Sigor@sysoev.ru 7771Sigor@sysoev.ru #ifndef _NXT_TLS_H_INCLUDED_ 8771Sigor@sysoev.ru #define _NXT_TLS_H_INCLUDED_ 9771Sigor@sysoev.ru 10771Sigor@sysoev.ru 111885Sa.suvorov@f5.com #include <nxt_conf.h> 121885Sa.suvorov@f5.com 131885Sa.suvorov@f5.com 14771Sigor@sysoev.ru /* 15771Sigor@sysoev.ru * The SSL/TLS libraries lack vector I/O interface yet add noticeable 16771Sigor@sysoev.ru * overhead to each SSL/TLS record so buffering allows to decrease the 17771Sigor@sysoev.ru * overhead. The typical overhead size is about 30 bytes, however, TLS 18771Sigor@sysoev.ru * supports also random padding up to 255 bytes. The maximum SSLv3/TLS 19771Sigor@sysoev.ru * record size is 16K. However, large records increase decryption latency. 20771Sigor@sysoev.ru * 4K is good compromise between 1-6% of SSL/TLS overhead and the latency. 21771Sigor@sysoev.ru * 4K buffer allows to send one SSL/TLS record (4096-bytes data and up to 22771Sigor@sysoev.ru * 224-bytes overhead) in three 1440-bytes TCP/IPv4 packets with timestamps 23771Sigor@sysoev.ru * and compatible with tunnels. 24771Sigor@sysoev.ru */ 25771Sigor@sysoev.ru 26771Sigor@sysoev.ru #define NXT_TLS_BUFFER_SIZE 4096 27771Sigor@sysoev.ru 28771Sigor@sysoev.ru 291828Sa.suvorov@f5.com typedef struct nxt_tls_conf_s nxt_tls_conf_t; 301828Sa.suvorov@f5.com typedef struct nxt_tls_bundle_conf_s nxt_tls_bundle_conf_t; 311920Sa.suvorov@f5.com typedef struct nxt_tls_init_s nxt_tls_init_t; 32*1942Sa.suvorov@f5.com typedef struct nxt_tls_ticket_s nxt_tls_ticket_t; 33*1942Sa.suvorov@f5.com typedef struct nxt_tls_tickets_s nxt_tls_tickets_t; 34771Sigor@sysoev.ru 35771Sigor@sysoev.ru typedef struct { 36771Sigor@sysoev.ru nxt_int_t (*library_init)(nxt_task_t *task); 37771Sigor@sysoev.ru void (*library_free)(nxt_task_t *task); 38771Sigor@sysoev.ru 391920Sa.suvorov@f5.com nxt_int_t (*server_init)(nxt_task_t *task, nxt_mp_t *mp, 401920Sa.suvorov@f5.com nxt_tls_init_t *tls_init, 411828Sa.suvorov@f5.com nxt_bool_t last); 42771Sigor@sysoev.ru void (*server_free)(nxt_task_t *task, 43771Sigor@sysoev.ru nxt_tls_conf_t *conf); 44771Sigor@sysoev.ru } nxt_tls_lib_t; 45771Sigor@sysoev.ru 46771Sigor@sysoev.ru 471828Sa.suvorov@f5.com typedef struct { 481828Sa.suvorov@f5.com nxt_tls_bundle_conf_t *bundle; 491828Sa.suvorov@f5.com 501828Sa.suvorov@f5.com nxt_str_t name; 511828Sa.suvorov@f5.com } nxt_tls_bundle_hash_item_t; 521828Sa.suvorov@f5.com 531828Sa.suvorov@f5.com 541828Sa.suvorov@f5.com struct nxt_tls_bundle_conf_s { 551828Sa.suvorov@f5.com void *ctx; 561828Sa.suvorov@f5.com 571828Sa.suvorov@f5.com nxt_fd_t chain_file; 581885Sa.suvorov@f5.com nxt_str_t name; 591828Sa.suvorov@f5.com 601828Sa.suvorov@f5.com nxt_tls_bundle_conf_t *next; 611828Sa.suvorov@f5.com }; 621828Sa.suvorov@f5.com 631828Sa.suvorov@f5.com 64771Sigor@sysoev.ru struct nxt_tls_conf_s { 651828Sa.suvorov@f5.com nxt_tls_bundle_conf_t *bundle; 661828Sa.suvorov@f5.com nxt_lvlhsh_t bundle_hash; 671828Sa.suvorov@f5.com 68*1942Sa.suvorov@f5.com nxt_tls_tickets_t *tickets; 69*1942Sa.suvorov@f5.com 70771Sigor@sysoev.ru void (*conn_init)(nxt_task_t *task, 71771Sigor@sysoev.ru nxt_tls_conf_t *conf, nxt_conn_t *c); 72771Sigor@sysoev.ru 73771Sigor@sysoev.ru const nxt_tls_lib_t *lib; 74771Sigor@sysoev.ru 75771Sigor@sysoev.ru char *ciphers; 76771Sigor@sysoev.ru 77771Sigor@sysoev.ru char *ca_certificate; 78771Sigor@sysoev.ru 79771Sigor@sysoev.ru size_t buffer_size; 801884Sa.suvorov@f5.com 811884Sa.suvorov@f5.com uint8_t no_wait_shutdown; /* 1 bit */ 82771Sigor@sysoev.ru }; 83771Sigor@sysoev.ru 84771Sigor@sysoev.ru 851920Sa.suvorov@f5.com struct nxt_tls_init_s { 861920Sa.suvorov@f5.com size_t cache_size; 871920Sa.suvorov@f5.com nxt_time_t timeout; 881920Sa.suvorov@f5.com nxt_conf_value_t *conf_cmds; 89*1942Sa.suvorov@f5.com nxt_conf_value_t *tickets_conf; 901920Sa.suvorov@f5.com 911920Sa.suvorov@f5.com nxt_tls_conf_t *conf; 921920Sa.suvorov@f5.com }; 931920Sa.suvorov@f5.com 941920Sa.suvorov@f5.com 95771Sigor@sysoev.ru #if (NXT_HAVE_OPENSSL) 96771Sigor@sysoev.ru extern const nxt_tls_lib_t nxt_openssl_lib; 97771Sigor@sysoev.ru 98771Sigor@sysoev.ru void nxt_cdecl nxt_openssl_log_error(nxt_task_t *task, nxt_uint_t level, 99771Sigor@sysoev.ru const char *fmt, ...); 100771Sigor@sysoev.ru u_char *nxt_openssl_copy_error(u_char *p, u_char *end); 101771Sigor@sysoev.ru #endif 102771Sigor@sysoev.ru 103771Sigor@sysoev.ru #if (NXT_HAVE_GNUTLS) 104771Sigor@sysoev.ru extern const nxt_tls_lib_t nxt_gnutls_lib; 105771Sigor@sysoev.ru #endif 106771Sigor@sysoev.ru 107771Sigor@sysoev.ru #if (NXT_HAVE_CYASSL) 108771Sigor@sysoev.ru extern const nxt_tls_lib_t nxt_cyassl_lib; 109771Sigor@sysoev.ru #endif 110771Sigor@sysoev.ru 111771Sigor@sysoev.ru #if (NXT_HAVE_POLARSSL) 112771Sigor@sysoev.ru extern const nxt_tls_lib_t nxt_polar_lib; 113771Sigor@sysoev.ru #endif 114771Sigor@sysoev.ru 115771Sigor@sysoev.ru 116771Sigor@sysoev.ru #endif /* _NXT_TLS_H_INCLUDED_ */ 117