3 * Copyright (C) Igor Sysoev
4 * Copyright (C) Nginx, Inc.
8 #ifndef _NGX_EVENT_OPENSSL_H_INCLUDED_
9 #define _NGX_EVENT_OPENSSL_H_INCLUDED_
12 #include <ngx_config.h>
15 #include <openssl/ssl.h>
16 #include <openssl/err.h>
17 #include <openssl/conf.h>
18 #include <openssl/engine.h>
19 #include <openssl/evp.h>
20 #include <openssl/ocsp.h>
22 #define NGX_SSL_NAME "OpenSSL"
25 #define ngx_ssl_session_t SSL_SESSION
26 #define ngx_ssl_conn_t SSL
36 ngx_ssl_conn_t
*connection
;
41 ngx_connection_handler_pt handler
;
43 ngx_event_handler_pt saved_read_handler
;
44 ngx_event_handler_pt saved_write_handler
;
46 unsigned handshaked
:1;
47 unsigned renegotiation
:1;
49 unsigned no_wait_shutdown
:1;
50 unsigned no_send_shutdown
:1;
51 } ngx_ssl_connection_t
;
54 #define NGX_SSL_NO_SCACHE -2
55 #define NGX_SSL_NONE_SCACHE -3
56 #define NGX_SSL_NO_BUILTIN_SCACHE -4
57 #define NGX_SSL_DFLT_BUILTIN_SCACHE -5
60 #define NGX_SSL_MAX_SESSION_SIZE 4096
62 typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t
;
64 struct ngx_ssl_sess_id_s
{
65 ngx_rbtree_node_t node
;
71 #if (NGX_PTR_SIZE == 8)
79 ngx_rbtree_t session_rbtree
;
80 ngx_rbtree_node_t sentinel
;
81 ngx_queue_t expire_queue
;
82 } ngx_ssl_session_cache_t
;
86 #define NGX_SSL_SSLv2 0x0002
87 #define NGX_SSL_SSLv3 0x0004
88 #define NGX_SSL_TLSv1 0x0008
89 #define NGX_SSL_TLSv1_1 0x0010
90 #define NGX_SSL_TLSv1_2 0x0020
93 #define NGX_SSL_BUFFER 1
94 #define NGX_SSL_CLIENT 2
96 #define NGX_SSL_BUFSIZE 16384
99 ngx_int_t
ngx_ssl_init(ngx_log_t
*log
);
100 ngx_int_t
ngx_ssl_create(ngx_ssl_t
*ssl
, ngx_uint_t protocols
, void *data
);
101 ngx_int_t
ngx_ssl_certificate(ngx_conf_t
*cf
, ngx_ssl_t
*ssl
,
102 ngx_str_t
*cert
, ngx_str_t
*key
);
103 ngx_int_t
ngx_ssl_client_certificate(ngx_conf_t
*cf
, ngx_ssl_t
*ssl
,
104 ngx_str_t
*cert
, ngx_int_t depth
);
105 ngx_int_t
ngx_ssl_trusted_certificate(ngx_conf_t
*cf
, ngx_ssl_t
*ssl
,
106 ngx_str_t
*cert
, ngx_int_t depth
);
107 ngx_int_t
ngx_ssl_crl(ngx_conf_t
*cf
, ngx_ssl_t
*ssl
, ngx_str_t
*crl
);
108 ngx_int_t
ngx_ssl_stapling(ngx_conf_t
*cf
, ngx_ssl_t
*ssl
,
109 ngx_str_t
*file
, ngx_str_t
*responder
, ngx_uint_t verify
);
110 ngx_int_t
ngx_ssl_stapling_resolver(ngx_conf_t
*cf
, ngx_ssl_t
*ssl
,
111 ngx_resolver_t
*resolver
, ngx_msec_t resolver_timeout
);
112 RSA
*ngx_ssl_rsa512_key_callback(SSL
*ssl
, int is_export
, int key_length
);
113 ngx_int_t
ngx_ssl_dhparam(ngx_conf_t
*cf
, ngx_ssl_t
*ssl
, ngx_str_t
*file
);
114 ngx_int_t
ngx_ssl_ecdh_curve(ngx_conf_t
*cf
, ngx_ssl_t
*ssl
, ngx_str_t
*name
);
115 ngx_int_t
ngx_ssl_session_cache(ngx_ssl_t
*ssl
, ngx_str_t
*sess_ctx
,
116 ssize_t builtin_session_cache
, ngx_shm_zone_t
*shm_zone
, time_t timeout
);
117 ngx_int_t
ngx_ssl_session_cache_init(ngx_shm_zone_t
*shm_zone
, void *data
);
118 ngx_int_t
ngx_ssl_create_connection(ngx_ssl_t
*ssl
, ngx_connection_t
*c
,
121 void ngx_ssl_remove_cached_session(SSL_CTX
*ssl
, ngx_ssl_session_t
*sess
);
122 ngx_int_t
ngx_ssl_set_session(ngx_connection_t
*c
, ngx_ssl_session_t
*session
);
123 #define ngx_ssl_get_session(c) SSL_get1_session(c->ssl->connection)
124 #define ngx_ssl_free_session SSL_SESSION_free
125 #define ngx_ssl_get_connection(ssl_conn) \
126 SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index)
127 #define ngx_ssl_get_server_conf(ssl_ctx) \
128 SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index)
130 #define ngx_ssl_verify_error_optional(n) \
131 (n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT \
132 || n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN \
133 || n == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY \
134 || n == X509_V_ERR_CERT_UNTRUSTED \
135 || n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)
138 ngx_int_t
ngx_ssl_get_protocol(ngx_connection_t
*c
, ngx_pool_t
*pool
,
140 ngx_int_t
ngx_ssl_get_cipher_name(ngx_connection_t
*c
, ngx_pool_t
*pool
,
142 ngx_int_t
ngx_ssl_get_session_id(ngx_connection_t
*c
, ngx_pool_t
*pool
,
144 ngx_int_t
ngx_ssl_get_raw_certificate(ngx_connection_t
*c
, ngx_pool_t
*pool
,
146 ngx_int_t
ngx_ssl_get_certificate(ngx_connection_t
*c
, ngx_pool_t
*pool
,
148 ngx_int_t
ngx_ssl_get_subject_dn(ngx_connection_t
*c
, ngx_pool_t
*pool
,
150 ngx_int_t
ngx_ssl_get_issuer_dn(ngx_connection_t
*c
, ngx_pool_t
*pool
,
152 ngx_int_t
ngx_ssl_get_serial_number(ngx_connection_t
*c
, ngx_pool_t
*pool
,
154 ngx_int_t
ngx_ssl_get_client_verify(ngx_connection_t
*c
, ngx_pool_t
*pool
,
158 ngx_int_t
ngx_ssl_handshake(ngx_connection_t
*c
);
159 ssize_t
ngx_ssl_recv(ngx_connection_t
*c
, u_char
*buf
, size_t size
);
160 ssize_t
ngx_ssl_write(ngx_connection_t
*c
, u_char
*data
, size_t size
);
161 ssize_t
ngx_ssl_recv_chain(ngx_connection_t
*c
, ngx_chain_t
*cl
);
162 ngx_chain_t
*ngx_ssl_send_chain(ngx_connection_t
*c
, ngx_chain_t
*in
,
164 void ngx_ssl_free_buffer(ngx_connection_t
*c
);
165 ngx_int_t
ngx_ssl_shutdown(ngx_connection_t
*c
);
166 void ngx_cdecl
ngx_ssl_error(ngx_uint_t level
, ngx_log_t
*log
, ngx_err_t err
,
168 void ngx_ssl_cleanup_ctx(void *data
);
171 extern int ngx_ssl_connection_index
;
172 extern int ngx_ssl_server_conf_index
;
173 extern int ngx_ssl_session_cache_index
;
174 extern int ngx_ssl_certificate_index
;
175 extern int ngx_ssl_stapling_index
;
178 #endif /* _NGX_EVENT_OPENSSL_H_INCLUDED_ */