1 2 /* 3 * Copyright (C) Igor Sysoev 4 * Copyright (C) Nginx, Inc. 5 */ 6 7 8 #ifndef _NGX_EVENT_OPENSSL_H_INCLUDED_ 9 #define _NGX_EVENT_OPENSSL_H_INCLUDED_ 10 11 12 #include <ngx_config.h> 13 #include <ngx_core.h> 14 15 #include <openssl/ssl.h> 16 #include <openssl/err.h> 17 #include <openssl/bn.h> 18 #include <openssl/conf.h> 19 #include <openssl/crypto.h> 20 #include <openssl/dh.h> 21 #ifndef OPENSSL_NO_ENGINE 22 #include <openssl/engine.h> 23 #endif 24 #include <openssl/evp.h> 25 #include <openssl/hmac.h> 26 #ifndef OPENSSL_NO_OCSP 27 #include <openssl/ocsp.h> 28 #endif 29 #include <openssl/rand.h> 30 #include <openssl/rsa.h> 31 #include <openssl/x509.h> 32 #include <openssl/x509v3.h> 33 34 #define NGX_SSL_NAME "OpenSSL" 35 36 37 #if (defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER == 0x20000000L) 38 #undef OPENSSL_VERSION_NUMBER 39 #if (LIBRESSL_VERSION_NUMBER >= 0x2080000fL) 40 #define OPENSSL_VERSION_NUMBER 0x1010000fL 41 #else 42 #define OPENSSL_VERSION_NUMBER 0x1000107fL 43 #endif 44 #endif 45 46 47 #if (OPENSSL_VERSION_NUMBER >= 0x10100001L) 48 49 #define ngx_ssl_version() OpenSSL_version(OPENSSL_VERSION) 50 51 #else 52 53 #define ngx_ssl_version() SSLeay_version(SSLEAY_VERSION) 54 55 #endif 56 57 58 #define ngx_ssl_session_t SSL_SESSION 59 #define ngx_ssl_conn_t SSL 60 61 62 #if (OPENSSL_VERSION_NUMBER < 0x10002000L) 63 #define SSL_is_server(s) (s)->server 64 #endif 65 66 67 struct ngx_ssl_s { 68 SSL_CTX *ctx; 69 ngx_log_t *log; 70 size_t buffer_size; 71 }; 72 73 74 struct ngx_ssl_connection_s { 75 ngx_ssl_conn_t *connection; 76 SSL_CTX *session_ctx; 77 78 ngx_int_t last; 79 ngx_buf_t *buf; 80 size_t buffer_size; 81 82 ngx_connection_handler_pt handler; 83 84 ngx_ssl_session_t *session; 85 ngx_connection_handler_pt save_session; 86 87 ngx_event_handler_pt saved_read_handler; 88 ngx_event_handler_pt saved_write_handler; 89 90 u_char early_buf; 91 92 unsigned handshaked:1; 93 unsigned renegotiation:1; 94 unsigned buffer:1; 95 unsigned no_wait_shutdown:1; 96 unsigned no_send_shutdown:1; 97 unsigned handshake_buffer_set:1; 98 unsigned try_early_data:1; 99 unsigned in_early:1; 100 unsigned early_preread:1; 101 unsigned write_blocked:1; 102 }; 103 104 105 #define NGX_SSL_NO_SCACHE -2 106 #define NGX_SSL_NONE_SCACHE -3 107 #define NGX_SSL_NO_BUILTIN_SCACHE -4 108 #define NGX_SSL_DFLT_BUILTIN_SCACHE -5 109 110 111 #define NGX_SSL_MAX_SESSION_SIZE 4096 112 113 typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t; 114 115 struct ngx_ssl_sess_id_s { 116 ngx_rbtree_node_t node; 117 u_char *id; 118 size_t len; 119 u_char *session; 120 ngx_queue_t queue; 121 time_t expire; 122 #if (NGX_PTR_SIZE == 8) 123 void *stub; 124 u_char sess_id[32]; 125 #endif 126 }; 127 128 129 typedef struct { 130 ngx_rbtree_t session_rbtree; 131 ngx_rbtree_node_t sentinel; 132 ngx_queue_t expire_queue; 133 } ngx_ssl_session_cache_t; 134 135 136 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 137 138 typedef struct { 139 size_t size; 140 u_char name[16]; 141 u_char hmac_key[32]; 142 u_char aes_key[32]; 143 } ngx_ssl_session_ticket_key_t; 144 145 #endif 146 147 148 #define NGX_SSL_SSLv2 0x0002 149 #define NGX_SSL_SSLv3 0x0004 150 #define NGX_SSL_TLSv1 0x0008 151 #define NGX_SSL_TLSv1_1 0x0010 152 #define NGX_SSL_TLSv1_2 0x0020 153 #define NGX_SSL_TLSv1_3 0x0040 154 155 156 #define NGX_SSL_BUFFER 1 157 #define NGX_SSL_CLIENT 2 158 159 #define NGX_SSL_BUFSIZE 16384 160 161 162 ngx_int_t ngx_ssl_init(ngx_log_t *log); 163 ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data); 164 165 ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, 166 ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords); 167 ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, 168 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); 169 ngx_int_t ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, 170 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); 171 172 ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, 173 ngx_uint_t prefer_server_ciphers); 174 ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, 175 ngx_str_t *cert, ngx_int_t depth); 176 ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, 177 ngx_str_t *cert, ngx_int_t depth); 178 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); 179 ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, 180 ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); 181 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, 182 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout); 183 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, 184 int key_length); 185 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); 186 ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf, 187 ngx_array_t *passwords); 188 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); 189 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); 190 ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl, 191 ngx_uint_t enable); 192 ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, 193 ngx_uint_t enable); 194 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, 195 ngx_array_t *certificates, ssize_t builtin_session_cache, 196 ngx_shm_zone_t *shm_zone, time_t timeout); 197 ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, 198 ngx_array_t *paths); 199 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); 200 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, 201 ngx_uint_t flags); 202 203 void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); 204 ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session); 205 ngx_ssl_session_t *ngx_ssl_get_session(ngx_connection_t *c); 206 ngx_ssl_session_t *ngx_ssl_get0_session(ngx_connection_t *c); 207 #define ngx_ssl_free_session SSL_SESSION_free 208 #define ngx_ssl_get_connection(ssl_conn) \ 209 SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index) 210 #define ngx_ssl_get_server_conf(ssl_ctx) \ 211 SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index) 212 213 #define ngx_ssl_verify_error_optional(n) \ 214 (n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT \ 215 || n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN \ 216 || n == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY \ 217 || n == X509_V_ERR_CERT_UNTRUSTED \ 218 || n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) 219 220 ngx_int_t ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name); 221 222 223 ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, 224 ngx_str_t *s); 225 ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, 226 ngx_str_t *s); 227 ngx_int_t ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool, 228 ngx_str_t *s); 229 ngx_int_t ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, 230 ngx_str_t *s); 231 ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, 232 ngx_str_t *s); 233 ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, 234 ngx_str_t *s); 235 ngx_int_t ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool, 236 ngx_str_t *s); 237 ngx_int_t ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, 238 ngx_str_t *s); 239 ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, 240 ngx_str_t *s); 241 ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, 242 ngx_str_t *s); 243 ngx_int_t ngx_ssl_get_escaped_certificate(ngx_connection_t *c, ngx_pool_t *pool, 244 ngx_str_t *s); 245 ngx_int_t ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, 246 ngx_str_t *s); 247 ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, 248 ngx_str_t *s); 249 ngx_int_t ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, 250 ngx_str_t *s); 251 ngx_int_t ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, 252 ngx_str_t *s); 253 ngx_int_t ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, 254 ngx_str_t *s); 255 ngx_int_t ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, 256 ngx_str_t *s); 257 ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, 258 ngx_str_t *s); 259 ngx_int_t ngx_ssl_get_client_v_start(ngx_connection_t *c, ngx_pool_t *pool, 260 ngx_str_t *s); 261 ngx_int_t ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool, 262 ngx_str_t *s); 263 ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, 264 ngx_str_t *s); 265 266 267 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); 268 ssize_t ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size); 269 ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size); 270 ssize_t ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit); 271 ngx_chain_t *ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, 272 off_t limit); 273 void ngx_ssl_free_buffer(ngx_connection_t *c); 274 ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c); 275 void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, 276 char *fmt, ...); 277 void ngx_ssl_cleanup_ctx(void *data); 278 279 280 extern int ngx_ssl_connection_index; 281 extern int ngx_ssl_server_conf_index; 282 extern int ngx_ssl_session_cache_index; 283 extern int ngx_ssl_session_ticket_keys_index; 284 extern int ngx_ssl_certificate_index; 285 extern int ngx_ssl_next_certificate_index; 286 extern int ngx_ssl_certificate_name_index; 287 extern int ngx_ssl_stapling_index; 288 289 290 #endif /* _NGX_EVENT_OPENSSL_H_INCLUDED_ */ 291