Mercurial > hg > nginx-quic
annotate src/event/ngx_event_openssl.h @ 4874:d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Missed in previous commit.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 01 Oct 2012 12:42:43 +0000 |
parents | dd74fd35ceb5 |
children | 386a06a22c40 |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
4412 | 4 * Copyright (C) Nginx, Inc. |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
5 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
6 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
7 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #ifndef _NGX_EVENT_OPENSSL_H_INCLUDED_ |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #define _NGX_EVENT_OPENSSL_H_INCLUDED_ |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
12 #include <ngx_config.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
13 #include <ngx_core.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
14 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
15 #include <openssl/ssl.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
16 #include <openssl/err.h> |
968 | 17 #include <openssl/conf.h> |
541 | 18 #include <openssl/engine.h> |
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3300
diff
changeset
|
19 #include <openssl/evp.h> |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
20 #include <openssl/ocsp.h> |
541 | 21 |
547 | 22 #define NGX_SSL_NAME "OpenSSL" |
23 | |
24 | |
671 | 25 #define ngx_ssl_session_t SSL_SESSION |
26 #define ngx_ssl_conn_t SSL | |
27 | |
28 | |
547 | 29 typedef struct { |
30 SSL_CTX *ctx; | |
31 ngx_log_t *log; | |
32 } ngx_ssl_t; | |
541 | 33 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
34 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
35 typedef struct { |
671 | 36 ngx_ssl_conn_t *connection; |
647 | 37 |
547 | 38 ngx_int_t last; |
39 ngx_buf_t *buf; | |
40 | |
41 ngx_connection_handler_pt handler; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
42 |
547 | 43 ngx_event_handler_pt saved_read_handler; |
44 ngx_event_handler_pt saved_write_handler; | |
479 | 45 |
547 | 46 unsigned handshaked:1; |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3154
diff
changeset
|
47 unsigned renegotiation:1; |
547 | 48 unsigned buffer:1; |
49 unsigned no_wait_shutdown:1; | |
50 unsigned no_send_shutdown:1; | |
51 } ngx_ssl_connection_t; | |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
52 |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
53 |
2032 | 54 #define NGX_SSL_NO_SCACHE -2 |
55 #define NGX_SSL_NONE_SCACHE -3 | |
56 #define NGX_SSL_NO_BUILTIN_SCACHE -4 | |
57 #define NGX_SSL_DFLT_BUILTIN_SCACHE -5 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
58 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
59 |
1778 | 60 #define NGX_SSL_MAX_SESSION_SIZE 4096 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
61 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
974
diff
changeset
|
62 typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
63 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
974
diff
changeset
|
64 struct ngx_ssl_sess_id_s { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
65 ngx_rbtree_node_t node; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
66 u_char *id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
67 size_t len; |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
974
diff
changeset
|
68 u_char *session; |
1760 | 69 ngx_queue_t queue; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
70 time_t expire; |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
71 #if (NGX_PTR_SIZE == 8) |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
72 void *stub; |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
73 u_char sess_id[32]; |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
74 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
75 }; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
76 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
77 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
78 typedef struct { |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1017
diff
changeset
|
79 ngx_rbtree_t session_rbtree; |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1017
diff
changeset
|
80 ngx_rbtree_node_t sentinel; |
1760 | 81 ngx_queue_t expire_queue; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
82 } ngx_ssl_session_cache_t; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
83 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
84 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
85 |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
86 #define NGX_SSL_SSLv2 0x0002 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
87 #define NGX_SSL_SSLv3 0x0004 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
88 #define NGX_SSL_TLSv1 0x0008 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
89 #define NGX_SSL_TLSv1_1 0x0010 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
90 #define NGX_SSL_TLSv1_2 0x0020 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
91 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
92 |
547 | 93 #define NGX_SSL_BUFFER 1 |
577 | 94 #define NGX_SSL_CLIENT 2 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
95 |
547 | 96 #define NGX_SSL_BUFSIZE 16384 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
97 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
98 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
99 ngx_int_t ngx_ssl_init(ngx_log_t *log); |
969 | 100 ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data); |
563 | 101 ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
102 ngx_str_t *cert, ngx_str_t *key); | |
647 | 103 ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
671 | 104 ngx_str_t *cert, ngx_int_t depth); |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
105 ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
106 ngx_str_t *cert, ngx_int_t depth); |
2995 | 107 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
108 ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); |
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3464
diff
changeset
|
109 RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length); |
2044 | 110 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); |
3960 | 111 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
112 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
113 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); |
3992
a1dd9dc754ab
A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
114 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); |
547 | 115 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, |
543 | 116 ngx_uint_t flags); |
577 | 117 |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
118 void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); |
577 | 119 ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session); |
611 | 120 #define ngx_ssl_get_session(c) SSL_get1_session(c->ssl->connection) |
121 #define ngx_ssl_free_session SSL_SESSION_free | |
969 | 122 #define ngx_ssl_get_connection(ssl_conn) \ |
123 SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index) | |
124 #define ngx_ssl_get_server_conf(ssl_ctx) \ | |
125 SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index) | |
611 | 126 |
127 | |
671 | 128 ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, |
129 ngx_str_t *s); | |
130 ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, | |
131 ngx_str_t *s); | |
3154 | 132 ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, |
133 ngx_str_t *s); | |
2123 | 134 ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
135 ngx_str_t *s); | |
2045 | 136 ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
137 ngx_str_t *s); | |
647 | 138 ngx_int_t ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, |
139 ngx_str_t *s); | |
140 ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, | |
141 ngx_str_t *s); | |
671 | 142 ngx_int_t ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, |
143 ngx_str_t *s); | |
2994 | 144 ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, |
145 ngx_str_t *s); | |
671 | 146 |
647 | 147 |
547 | 148 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); |
469 | 149 ssize_t ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size); |
539 | 150 ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size); |
577 | 151 ssize_t ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
152 ngx_chain_t *ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, |
489 | 153 off_t limit); |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
154 void ngx_ssl_free_buffer(ngx_connection_t *c); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
155 ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c); |
583 | 156 void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, |
489 | 157 char *fmt, ...); |
509 | 158 void ngx_ssl_cleanup_ctx(void *data); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
159 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
160 |
969 | 161 extern int ngx_ssl_connection_index; |
162 extern int ngx_ssl_server_conf_index; | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
163 extern int ngx_ssl_session_cache_index; |
671 | 164 |
165 | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
166 #endif /* _NGX_EVENT_OPENSSL_H_INCLUDED_ */ |