1 2 /* 3 * Copyright (C) Igor Sysoev 4 * Copyright (C) NGINX, Inc. 5 */ 6 7 #ifndef _NXT_TLS_H_INCLUDED_ 8 #define _NXT_TLS_H_INCLUDED_ 9 10 11 #include <nxt_conf.h> 12 13 14 /* 15 * The SSL/TLS libraries lack vector I/O interface yet add noticeable 16 * overhead to each SSL/TLS record so buffering allows to decrease the 17 * overhead. The typical overhead size is about 30 bytes, however, TLS 18 * supports also random padding up to 255 bytes. The maximum SSLv3/TLS 19 * record size is 16K. However, large records increase decryption latency. 20 * 4K is good compromise between 1-6% of SSL/TLS overhead and the latency. 21 * 4K buffer allows to send one SSL/TLS record (4096-bytes data and up to 22 * 224-bytes overhead) in three 1440-bytes TCP/IPv4 packets with timestamps 23 * and compatible with tunnels. 24 */ 25 26 #define NXT_TLS_BUFFER_SIZE 4096 27 28 29 typedef struct nxt_tls_conf_s nxt_tls_conf_t; 30 typedef struct nxt_tls_bundle_conf_s nxt_tls_bundle_conf_t; 31 typedef struct nxt_tls_init_s nxt_tls_init_t; 32 typedef struct nxt_tls_ticket_s nxt_tls_ticket_t; 33 typedef struct nxt_tls_tickets_s nxt_tls_tickets_t; 34 35 typedef struct { 36 nxt_int_t (*library_init)(nxt_task_t *task); 37 void (*library_free)(nxt_task_t *task); 38 39 nxt_int_t (*server_init)(nxt_task_t *task, nxt_mp_t *mp, 40 nxt_tls_init_t *tls_init, 41 nxt_bool_t last); 42 void (*server_free)(nxt_task_t *task, 43 nxt_tls_conf_t *conf); 44 } nxt_tls_lib_t; 45 46 47 typedef struct { 48 nxt_tls_bundle_conf_t *bundle; 49 50 nxt_str_t name; 51 } nxt_tls_bundle_hash_item_t; 52 53 54 struct nxt_tls_bundle_conf_s { 55 void *ctx; 56 57 nxt_fd_t chain_file; 58 nxt_str_t name; 59 60 nxt_tls_bundle_conf_t *next; 61 }; 62 63 64 struct nxt_tls_conf_s { 65 nxt_tls_bundle_conf_t *bundle; 66 nxt_lvlhsh_t bundle_hash; 67 68 nxt_tls_tickets_t *tickets; 69 70 void (*conn_init)(nxt_task_t *task, 71 nxt_tls_conf_t *conf, nxt_conn_t *c); 72 73 const nxt_tls_lib_t *lib; 74 75 char *ciphers; 76 77 char *ca_certificate; 78 79 size_t buffer_size; 80 81 uint8_t no_wait_shutdown; /* 1 bit */ 82 }; 83 84 85 struct nxt_tls_init_s { 86 size_t cache_size; 87 nxt_time_t timeout; 88 nxt_conf_value_t *conf_cmds; 89 nxt_conf_value_t *tickets_conf; 90 91 nxt_tls_conf_t *conf; 92 }; 93 94 95 #if (NXT_HAVE_OPENSSL) 96 extern const nxt_tls_lib_t nxt_openssl_lib; 97 98 void nxt_cdecl nxt_openssl_log_error(nxt_task_t *task, nxt_uint_t level, 99 const char *fmt, ...); 100 u_char *nxt_openssl_copy_error(u_char *p, u_char *end); 101 #endif 102 103 #if (NXT_HAVE_GNUTLS) 104 extern const nxt_tls_lib_t nxt_gnutls_lib; 105 #endif 106 107 #if (NXT_HAVE_CYASSL) 108 extern const nxt_tls_lib_t nxt_cyassl_lib; 109 #endif 110 111 #if (NXT_HAVE_POLARSSL) 112 extern const nxt_tls_lib_t nxt_polar_lib; 113 #endif 114 115 116 #endif /* _NXT_TLS_H_INCLUDED_ */ 117