1 2 /* 3 * Copyright (C) Igor Sysoev 4 * Copyright (C) Nginx, Inc. 5 */ 6 7 8 #ifndef _NGX_EVENT_OPENSSL_H_INCLUDED_ 9 #define _NGX_EVENT_OPENSSL_H_INCLUDED_ 10 11 12 #include <ngx_config.h> 13 #include <ngx_core.h> 14 15 #define OPENSSL_SUPPRESS_DEPRECATED 16 17 #include <openssl/ssl.h> 18 #include <openssl/err.h> 19 #include <openssl/bn.h> 20 #include <openssl/conf.h> 21 #include <openssl/crypto.h> 22 #include <openssl/dh.h> 23 #ifndef OPENSSL_NO_ENGINE 24 #include <openssl/engine.h> 25 #endif 26 #include <openssl/evp.h> 27 #include <openssl/hmac.h> 28 #ifndef OPENSSL_NO_OCSP 29 #include <openssl/ocsp.h> 30 #endif 31 #include <openssl/rand.h> 32 #include <openssl/rsa.h> 33 #include <openssl/x509.h> 34 #include <openssl/x509v3.h> 35 36 #define NGX_SSL_NAME "OpenSSL" 37 38 39 #if (defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER == 0x20000000L) 40 #undef OPENSSL_VERSION_NUMBER 41 #if (LIBRESSL_VERSION_NUMBER >= 0x2080000fL) 42 #define OPENSSL_VERSION_NUMBER 0x1010000fL 43 #else 44 #define OPENSSL_VERSION_NUMBER 0x1000107fL 45 #endif 46 #endif 47 48 49 #if (OPENSSL_VERSION_NUMBER >= 0x10100001L) 50 51 #define ngx_ssl_version() OpenSSL_version(OPENSSL_VERSION) 52 53 #else 54 55 #define ngx_ssl_version() SSLeay_version(SSLEAY_VERSION) 56 57 #endif 58 59 60 #define ngx_ssl_session_t SSL_SESSION 61 #define ngx_ssl_conn_t SSL 62 63 64 #if (OPENSSL_VERSION_NUMBER < 0x10002000L) 65 #define SSL_is_server(s) (s)->server 66 #endif 67 68 69 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined SSL_get_peer_certificate) 70 #define SSL_get_peer_certificate(s) SSL_get1_peer_certificate(s) 71 #endif 72 73 74 #if (OPENSSL_VERSION_NUMBER < 0x30000000L && !defined ERR_peek_error_data) 75 #define ERR_peek_error_data(d, f) ERR_peek_error_line_data(NULL, NULL, d, f) 76 #endif 77 78 79 typedef struct ngx_ssl_ocsp_s ngx_ssl_ocsp_t; 80 81 82 struct ngx_ssl_s { 83 SSL_CTX *ctx; 84 ngx_log_t *log; 85 size_t buffer_size; 86 }; 87 88 89 struct ngx_ssl_connection_s { 90 ngx_ssl_conn_t *connection; 91 SSL_CTX *session_ctx; 92 93 ngx_int_t last; 94 ngx_buf_t *buf; 95 size_t buffer_size; 96 97 ngx_connection_handler_pt handler; 98 99 ngx_ssl_session_t *session; 100 ngx_connection_handler_pt save_session; 101 102 ngx_event_handler_pt saved_read_handler; 103 ngx_event_handler_pt saved_write_handler; 104 105 ngx_ssl_ocsp_t *ocsp; 106 107 u_char early_buf; 108 109 unsigned handshaked:1; 110 unsigned handshake_rejected:1; 111 unsigned renegotiation:1; 112 unsigned buffer:1; 113 unsigned no_wait_shutdown:1; 114 unsigned no_send_shutdown:1; 115 unsigned shutdown_without_free:1; 116 unsigned handshake_buffer_set:1; 117 unsigned try_early_data:1; 118 unsigned in_early:1; 119 unsigned in_ocsp:1; 120 unsigned early_preread:1; 121 unsigned write_blocked:1; 122 }; 123 124 125 #define NGX_SSL_NO_SCACHE -2 126 #define NGX_SSL_NONE_SCACHE -3 127 #define NGX_SSL_NO_BUILTIN_SCACHE -4 128 #define NGX_SSL_DFLT_BUILTIN_SCACHE -5 129 130 131 #define NGX_SSL_MAX_SESSION_SIZE 4096 132 133 typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t; 134 135 struct ngx_ssl_sess_id_s { 136 ngx_rbtree_node_t node; 137 u_char *id; 138 size_t len; 139 u_char *session; 140 ngx_queue_t queue; 141 time_t expire; 142 #if (NGX_PTR_SIZE == 8) 143 void *stub; 144 u_char sess_id[32]; 145 #endif 146 }; 147 148 149 typedef struct { 150 ngx_rbtree_t session_rbtree; 151 ngx_rbtree_node_t sentinel; 152 ngx_queue_t expire_queue; 153 } ngx_ssl_session_cache_t; 154 155 156 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 157 158 typedef struct { 159 size_t size; 160 u_char name[16]; 161 u_char hmac_key[32]; 162 u_char aes_key[32]; 163 } ngx_ssl_session_ticket_key_t; 164 165 #endif 166 167 168 #define NGX_SSL_SSLv2 0x0002 169 #define NGX_SSL_SSLv3 0x0004 170 #define NGX_SSL_TLSv1 0x0008 171 #define NGX_SSL_TLSv1_1 0x0010 172 #define NGX_SSL_TLSv1_2 0x0020 173 #define NGX_SSL_TLSv1_3 0x0040 174 175 176 #define NGX_SSL_BUFFER 1 177 #define NGX_SSL_CLIENT 2 178 179 #define NGX_SSL_BUFSIZE 16384 180 181 182 ngx_int_t ngx_ssl_init(ngx_log_t *log); 183 ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data); 184 185 ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, 186 ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords); 187 ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, 188 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); 189 ngx_int_t ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, 190 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); 191 192 ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, 193 ngx_uint_t prefer_server_ciphers); 194 ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, 195 ngx_str_t *cert, ngx_int_t depth); 196 ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, 197 ngx_str_t *cert, ngx_int_t depth); 198 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); 199 ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, 200 ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); 201 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, 202 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout); 203 ngx_int_t ngx_ssl_ocsp(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder, 204 ngx_uint_t depth, ngx_shm_zone_t *shm_zone); 205 ngx_int_t ngx_ssl_ocsp_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, 206 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout); 207 ngx_int_t ngx_ssl_ocsp_validate(ngx_connection_t *c); 208 ngx_int_t ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s); 209 void ngx_ssl_ocsp_cleanup(ngx_connection_t *c); 210 ngx_int_t ngx_ssl_ocsp_cache_init(ngx_shm_zone_t *shm_zone, void *data); 211 #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER) 212 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, 213 int key_length); 214 #endif 215 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); 216 ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf, 217 ngx_array_t *passwords); 218 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); 219 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); 220 ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl, 221 ngx_uint_t enable); 222 ngx_int_t ngx_ssl_conf_commands(ngx_conf_t *cf, ngx_ssl_t *ssl, 223 ngx_array_t *commands); 224 225 ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, 226 ngx_uint_t enable); 227 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, 228 ngx_array_t *certificates, ssize_t builtin_session_cache, 229 ngx_shm_zone_t *shm_zone, time_t timeout); 230 ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, 231 ngx_array_t *paths); 232 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); 233 234 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, 235 ngx_uint_t flags); 236 237 void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); 238 ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session); 239 ngx_ssl_session_t *ngx_ssl_get_session(ngx_connection_t *c); 240 ngx_ssl_session_t *ngx_ssl_get0_session(ngx_connection_t *c); 241 #define ngx_ssl_free_session SSL_SESSION_free 242 #define ngx_ssl_get_connection(ssl_conn) \ 243 SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index) 244 #define ngx_ssl_get_server_conf(ssl_ctx) \ 245 SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index) 246 247 #define ngx_ssl_verify_error_optional(n) \ 248 (n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT \ 249 || n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN \ 250 || n == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY \ 251 || n == X509_V_ERR_CERT_UNTRUSTED \ 252 || n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) 253 254 ngx_int_t ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name); 255 256 257 ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, 258 ngx_str_t *s); 259 ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, 260 ngx_str_t *s); 261 ngx_int_t ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool, 262 ngx_str_t *s); 263 ngx_int_t ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, 264 ngx_str_t *s); 265 ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, 266 ngx_str_t *s); 267 ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, 268 ngx_str_t *s); 269 ngx_int_t ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool, 270 ngx_str_t *s); 271 ngx_int_t ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, 272 ngx_str_t *s); 273 ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, 274 ngx_str_t *s); 275 ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, 276 ngx_str_t *s); 277 ngx_int_t ngx_ssl_get_escaped_certificate(ngx_connection_t *c, ngx_pool_t *pool, 278 ngx_str_t *s); 279 ngx_int_t ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, 280 ngx_str_t *s); 281 ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, 282 ngx_str_t *s); 283 ngx_int_t ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, 284 ngx_str_t *s); 285 ngx_int_t ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, 286 ngx_str_t *s); 287 ngx_int_t ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, 288 ngx_str_t *s); 289 ngx_int_t ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, 290 ngx_str_t *s); 291 ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, 292 ngx_str_t *s); 293 ngx_int_t ngx_ssl_get_client_v_start(ngx_connection_t *c, ngx_pool_t *pool, 294 ngx_str_t *s); 295 ngx_int_t ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool, 296 ngx_str_t *s); 297 ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, 298 ngx_str_t *s); 299 300 301 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); 302 ssize_t ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size); 303 ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size); 304 ssize_t ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit); 305 ngx_chain_t *ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, 306 off_t limit); 307 void ngx_ssl_free_buffer(ngx_connection_t *c); 308 ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c); 309 void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, 310 char *fmt, ...); 311 void ngx_ssl_cleanup_ctx(void *data); 312 313 314 extern int ngx_ssl_connection_index; 315 extern int ngx_ssl_server_conf_index; 316 extern int ngx_ssl_session_cache_index; 317 extern int ngx_ssl_session_ticket_keys_index; 318 extern int ngx_ssl_ocsp_index; 319 extern int ngx_ssl_certificate_index; 320 extern int ngx_ssl_next_certificate_index; 321 extern int ngx_ssl_certificate_name_index; 322 extern int ngx_ssl_stapling_index; 323 324 325 #endif /* _NGX_EVENT_OPENSSL_H_INCLUDED_ */ 326